Google Git
Sign in
chromium / chromium / src / ce54860c90a34590b5295addf82f6863e444a63f / . / components / arc / mojom / keymaster.mojom
blob: 24475b726365bec92d0ac074e4dc31044a201b3a [file] [log] [blame]
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Next MinVersion: 1
// This file defines the mojo interface between Android and Chrome OS for the
// keymaster implementation used in ARC.
module arc.mojom;
// Host is implemented in Chrome. Listens until server and instance come online
// and forwards a server handle to the instance.
interface KeymasterHost {
GetServer@0() => (KeymasterServer server_ptr);
};
// Instance is implemented in ARC. Retrieves a server pointer from the host and
// uses it to fulfill Android Keymaster operations.
interface KeymasterInstance {
Init@0(KeymasterHost host_ptr) => ();
};
// Server is implemented in arc-keymasterd in Chrome OS. This interface is the
// mojo equivalent of the Keymaster 3.0 HIDL interface. Please refer to
// Android's IKeymasterDevice.hal for a more detailed description on how the
// methods and structs below should function.
interface KeymasterServer {
// Sets the Android version information used.
SetSystemVersion@0(uint32 os_version, uint32 os_patchlevel);
AddRngEntropy@1(array<uint8> data) => (int32 error);
// Returns the characteristics of the specified key if it is valid.
GetKeyCharacteristics@2(GetKeyCharacteristicsRequest request) =>
(GetKeyCharacteristicsResult response);
GenerateKey@3(array<KeyParameter> key_params) => (GenerateKeyResult response);
ImportKey@4(ImportKeyRequest request) => (ImportKeyResult response);
// Exports a public key, returning the key in the specified format.
ExportKey@5(ExportKeyRequest request) => (ExportKeyResult response);
// Generates a signed X.509 certificate chain attesting to the presence of
// keyToAttest in Keymaster.
AttestKey@6(AttestKeyRequest request) => (AttestKeyResult result);
// Upgrades a key generated by an older version of the Keymaster.
UpgradeKey@7(UpgradeKeyRequest request) => (UpgradeKeyResult response);
DeleteKey@8(array<uint8> key_blob) => (int32 error);
DeleteAllKeys@9() => (int32 error);
// Begins a cryptographic operation using the specified key.
Begin@10(BeginRequest request) => (BeginResult result);
// Provides data and possibly receives output from an ongoing operation.
Update@11(UpdateRequest request) => (UpdateResult response);
// Finalizes a cryptographic operation and invalidates operation handle.
Finish@12(FinishRequest request) => (FinishResult response);
// Aborts an operation and invalidates the operation handle.
Abort@13(uint64 op_handle) => (int32 error);
};
////////////////////////////////////////////////////////////////////////////////
// KeymasterServer helper enums and structs
[Extensible]
enum KeyPurpose {
ENCRYPT = 0, // Usable with RSA, EC and AES keys.
DECRYPT = 1, // Usable with RSA, EC and AES keys.
SIGN = 2, // Usable with RSA, EC and HMAC keys.
VERIFY = 3, // Usable with RSA, EC and HMAC keys.
DERIVE_KEY = 4, // Usable with EC keys.
WRAP_KEY = 5, // Usable with wrapping keys.
};
[Extensible]
enum KeyFormat {
X509 = 0, // for public key export
PKCS8 = 1, // for asymmetric key pair import
RAW = 3, // for symmetric key import and export
};
// Helper union for key parameter values.
union IntegerKeyParam {
bool boolean_value; // KM_BOOL
uint32 integer; // KM_ENUM, KM_ENUM_REP, KM_INT and KM_INT_REP
uint64 long_integer; // KM_LONG
uint64 date_time; // KM_DATE
array<uint8> blob; // KM_BIGNUM and KM_BYTES
};
struct KeyParameter {
// Discriminates the IntegerKeyParam union field used.
uint32 tag;
IntegerKeyParam param;
};
// Defines the attributes of a key, including cryptographic parameters, and
// usage restrictions.
struct KeyCharacteristics {
array<KeyParameter> software_enforced;
array<KeyParameter> tee_enforced;
};
////////////////////////////////////////////////////////////////////////////////
// KeymasterServer request and response structs
struct GetKeyCharacteristicsRequest {
array<uint8> key_blob;
array<uint8> client_id;
array<uint8> app_data;
};
struct GetKeyCharacteristicsResult {
KeyCharacteristics key_characteristics;
int32 error;
};
struct GenerateKeyResult {
array<uint8> key_blob;
KeyCharacteristics key_characteristics;
int32 error;
};
struct ImportKeyRequest {
array<KeyParameter> key_description;
KeyFormat key_format;
array<uint8> key_data;
};
struct ImportKeyResult {
array<uint8> key_blob;
KeyCharacteristics key_characteristics;
int32 error;
};
struct ExportKeyRequest {
KeyFormat key_format;
array<uint8> key_blob;
array<uint8> client_id;
array<uint8> app_data;
};
struct ExportKeyResult {
array<uint8> key_material;
int32 error;
};
struct AttestKeyRequest {
array<uint8> key_to_attest;
array<KeyParameter> attest_params;
};
struct AttestKeyResult {
array<array<uint8>> cert_chain;
int32 error;
};
struct UpgradeKeyRequest {
array<uint8> key_blob_to_upgrade;
array<KeyParameter> upgrade_params;
};
struct UpgradeKeyResult {
array<uint8> upgraded_key_blob;
int32 error;
};
struct BeginRequest {
KeyPurpose purpose;
array<uint8> key;
array<KeyParameter> in_params;
};
struct BeginResult {
array<KeyParameter> out_params;
uint64 op_handle;
int32 error;
};
struct UpdateRequest {
uint64 op_handle;
array<KeyParameter> in_params;
array<uint8> input;
};
struct UpdateResult {
uint32 input_consumed;
array<KeyParameter> out_params;
array<uint8> output;
int32 error;
};
struct FinishRequest {
uint64 op_handle;
array<KeyParameter> in_params;
array<uint8> input;
array<uint8> signature;
};
struct FinishResult {
array<KeyParameter> out_params;
array<uint8> output;
int32 error;
};