1 page.title=Implementer's Reference 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 20 <p>This page provides details to assist implementers of <a href="index.html">Keymaster</a> HALs. It 21 covers each tag and each function in the HAL.</p> 22 23 <h2 id=authorization_tags>Authorization tags</h2> 24 25 <p>Except as noted in the tag descriptions, all of the tags below are used during 26 key generation to specify key characteristics.</p> 27 28 <h3 id=km_tag_purpose>KM_TAG_PURPOSE</h3> 29 30 <p>Specifies the set of purposes for which the key may be used.</p> 31 32 <p>Possible values are defined by the following enumeration:</p> 33 34 <pre> 35 typedef enum { 36 KM_PURPOSE_ENCRYPT = 0, 37 KM_PURPOSE_DECRYPT = 1, 38 KM_PURPOSE_SIGN = 2, 39 KM_PURPOSE_VERIFY = 3, 40 } keymaster_purpose_t; 41 </pre> 42 43 <p>This tag is repeatable; keys may be generated with multiple values, although an 44 operation has a single purpose. When the <a href="#begin">begin</a> function is called to 45 start an operation, the purpose of the operation is 46 specified. If the purpose specified to the operation is not authorized by the 47 key, the operation must fail with <code>KM_ERROR_INCOMPATIBLE_PURPOSE</code>.</p> 48 49 <h3 id=km_tag_algorithm>KM_TAG_ALGORITHM</h3> 50 51 <p>Specifies the cryptographic algorithm with which the key is used.</p> 52 53 <p>Possible values are defined by the following enumeration:</p> 54 55 <pre> 56 typedef enum { 57 KM_ALGORITHM_RSA = 1, 58 KM_ALGORITHM_EC = 3, 59 KM_ALGORITHM_AES = 32, 60 KM_ALGORITHM_HMAC = 128, 61 } keymaster_algorithm_t; 62 </pre> 63 64 <p>This tag is not repeatable.</p> 65 66 <h3 id=km_tag_key_size>KM_TAG_KEY_SIZE</h3> 67 68 <p>Specifies the size, in bits, of the key, measuring in the normal way for the 69 key's algorithm. For example, for RSA keys, <code>KM_TAG_KEY_SIZE</code> specifies 70 the size of the public modulus. For AES keys it specifies the length 71 of the secret key material.</p> 72 73 <p>This tag is not repeatable.</p> 74 75 <h3 id=km_tag_block_mode>KM_TAG_BLOCK_MODE</h3> 76 77 <p>Specifies the block cipher mode(s) with which the key may be used. This tag is 78 only relevant to AES keys.</p> 79 80 <p>Possible values are defined by the following enumeration:</p> 81 82 <pre> 83 typedef enum { 84 KM_MODE_ECB = 1, 85 KM_MODE_CBC = 2, 86 KM_MODE_CTR = 3, 87 KM_MODE_GCM = 32, 88 } keymaster_block_mode_t; 89 </pre> 90 91 <p>This tag is repeatable, and for AES key operations a mode must be specified in 92 the <code>additional_params</code> argument of <a href="#begin">begin</a>. If the specified 93 mode is not in the modes associated with the key, the 94 operation must fail with <code>KM_ERROR_INCOMPATIBLE_BLOCK_MODE</code>.</p> 95 96 <h3 id=km_tag_digest>KM_TAG_DIGEST</h3> 97 98 <p>Specifies the digest algorithms which may be used with the key to perform 99 signing and verification operations. This tag is relevant to RSA, ECDSA and 100 HMAC keys.</p> 101 102 <p>Possible values are defined by the following enumeration:</p> 103 104 <pre> 105 typedef enum { 106 KM_DIGEST_NONE = 0, 107 KM_DIGEST_MD5 = 1, 108 KM_DIGEST_SHA1 = 2, 109 KM_DIGEST_SHA_2_224 = 3, 110 KM_DIGEST_SHA_2_256 = 4, 111 KM_DIGEST_SHA_2_384 = 5, 112 KM_DIGEST_SHA_2_512 = 6, 113 } 114 keymaster_digest_t; 115 </pre> 116 117 <p>This tag is repeatable. For signing and verification operations a digest must 118 be specified in the <code>additional_params</code> argument of <a href="#begin">begin</a>. 119 If the specified digest is not in the digests associated with the key, the 120 operation must fail with <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>.</p> 121 122 <h3 id=km_tag_padding>KM_TAG_PADDING</h3> 123 124 <p>Specifies the padding modes which may be used with the key. This tag is 125 relevant to RSA and AES keys.</p> 126 127 <p>Possible values are defined by the following enumeration:</p> 128 129 <pre> 130 typedef enum { 131 KM_PAD_NONE = 1, 132 KM_PAD_RSA_OAEP = 2, 133 KM_PAD_RSA_PSS = 3, 134 KM_PAD_RSA_PKCS1_1_5_ENCRYPT = 4, 135 KM_PAD_RSA_PKCS1_1_5_SIGN = 5, 136 KM_PAD_PKCS7 = 64, 137 } keymaster_padding_t; 138 </pre> 139 140 <p><code>KM_PAD_RSA_OAEP</code> and <code>KM_PAD_RSA_PKCS1_1_5_ENCRYPT</code> are used 141 only for RSA encryption/decryption keys and specify RSA PKCS#1v2 OAEP 142 padding and RSA PKCS#1 v1.5 randomized padding, respectively. <code>KM_PAD_RSA_PSS</code> and 143 <code>KM_PAD_RSA_PKCS1_1_5_SIGN</code> are used only for RSA signing/verification keys and 144 specify RSA PKCS#1v2 PSS 145 padding and RSA PKCS#1 v1.5 deterministic padding, respectively. Note also that 146 the RSA PSS padding mode is incompatible with <a href="#km_tag_digest">KM_DIGEST_NONE</a>.</p> 147 148 <p><code>KM_PAD_NONE</code> may be used with either RSA or AES keys. For AES keys, 149 if <code>KM_PAD_NONE</code> is used with block mode ECB or CBC and the data to be encrypted 150 or decrypted 151 is not a multiple of the AES block size in length, the call to finish must fail 152 with <code>KM_ERROR_INVALID_INPUT_LENGTH</code>.</p> 153 154 <p><code>KM_PAD_PKCS7</code> may only be used with AES keys, and only with ECB and CBC modes.</p> 155 156 <p>This tag is repeatable. A padding mode must be specified in the call to 157 <a href="#begin">begin</a>. If the specified mode is not authorized for the key, 158 the operation must fail 159 with <code>KM_ERROR_INCOMPATIBLE_BLOCK_MODE</code>.</p> 160 161 <h3 id=km_tag_caller_nonce>KM_TAG_CALLER_NONCE</h3> 162 163 <p>Specifies that the caller is allowed to provide a nonce for nonce-requiring 164 operations.</p> 165 166 <p>This tag is boolean, so the possible values are true (if the tag is present) 167 and false (if the tag is not present).</p> 168 169 <p>This tag is used only for AES keys, and is only relevant for CBC, CTR and GCM 170 block modes. If the tag is not present, implementations should reject any 171 operation which provides <a href="#km_tag_nonce">KM_TAG_NONCE</a> to <a href="#begin">begin</a> 172 with <code>KM_ERROR_CALLER_NONCE_PROHIBITED</code>.</p> 173 174 <p>This tag is not repeatable.</p> 175 176 <h3 id=km_tag_min_mac_length>KM_TAG_MIN_MAC_LENGTH</h3> 177 178 <p>Required for HMAC keys and AES keys that support GCM mode, this tag specifies 179 the minimum length of MAC that can be requested or verified with this key.</p> 180 181 <p>This value is the minimum MAC length, in bits. It must be a multiple of 8. For 182 HMAC keys, the value must be at least 64. For GCM keys it must be at least 96 183 and must not exceed 128.</p> 184 185 <h3 id=km_tag_rsa_public_exponent>KM_TAG_RSA_PUBLIC_EXPONENT</h3> 186 187 <p>Specifies the value of the public exponent for an RSA key pair. This tag is 188 relevant only to RSA keys, and required for all RSA keys.</p> 189 190 <p>The value is a 64-bit unsigned integer that must satisfy the requirements of an 191 RSA public exponent. Because it is specified by the caller and therefore cannot 192 be chosen by the implementation, it must be a prime number. Trustlets are 193 required to support the value 2^16+1. It is recommended that other reasonable 194 values be supported, in particular the value 3. If no exponent is specified or 195 if the specified exponent is not supported, key generation must fail 196 with <code>KM_ERROR_INVALID_ARGUMENT</code>.</p> 197 198 <p>This tag is not repeatable.</p> 199 200 <h3 id=km_tag_blob_usage_requirements>KM_TAG_BLOB_USAGE_REQUIREMENTS</h3> 201 202 <p>Specifies the system environment conditions which must hold for the generated 203 key to be used.</p> 204 205 <p>Possible values are defined by the following enumeration:</p> 206 207 <pre> 208 typedef enum { 209 KM_BLOB_STANDALONE = 0, 210 KM_BLOB_REQUIRES_FILE_SYSTEM = 1, 211 } keymaster_key_blob_usage_requirements_t; 212 </pre> 213 214 <p>This tag may be specified during key generation to require that the key be 215 usable in the specified condition, and must be returned with the key 216 characteristics (from <a href="#generate_key">generate_key</a> and 217 <a href="#get_key_characteristics">get_key_characteristics</a>). If 218 the caller specifies <code>KM_TAG_BLOB_USAGE_REQUIREMENTS</code> with 219 value <code>KM_BLOB_STANDALONE</code> the trustlet must return a key blob 220 which can be used without file system 221 support. This is critical for devices with encrypted disks, where the file 222 system may not be available until after a Keymaster key is used to decrypt the 223 disk.</p> 224 225 <p>This tag is not repeatable.</p> 226 227 <h3 id=km_tag_bootloader_only>KM_TAG_BOOTLOADER_ONLY</h3> 228 229 <p>Specifies that the key may only be used by the bootloader.</p> 230 231 <p>This tag is boolean, so the possible values are true (if the tag is present) 232 and false (if the tag is not present).</p> 233 234 <p>Any attempt to use a key with <code>KM_TAG_BOOTLOADER_ONLY</code> from the 235 Android system must fail with <code>KM_ERROR_INVALID_KEY_BLOB</code>.</p> 236 237 <p>This tag is not repeatable.</p> 238 239 <h3 id=km_tag_active_datetime>KM_TAG_ACTIVE_DATETIME</h3> 240 241 <p>Specifies the date and time at which the key becomes active. Prior to this 242 time, any attempt to use the key must fail with <code>KM_ERROR_KEY_NOT_YET_VALID</code>.</p> 243 244 <p>The value is a 64-bit integer representing milliseconds since January 1, 1970.</p> 245 246 <p>This tag is not repeatable.</p> 247 248 <h3 id=km_tag_origination_expire_datetime>KM_TAG_ORIGINATION_EXPIRE_DATETIME</h3> 249 250 <p>Specifies the date and time at which the key expires for signing and encryption 251 purposes. After this time, any attempt to use a key 252 with <a href="#km_tag_purpose">KM_PURPOSE_SIGN</a> or 253 <a href="#km_tag_purpose">KM_PURPOSE_ENCRYPT</a> provided 254 to <a href="#begin">begin</a> must fail with <code>KM_ERROR_KEY_EXPIRED</code>.</p> 255 256 <p>The value is a 64-bit integer representing milliseconds since January 1, 1970.</p> 257 258 <p>This tag is not repeatable.</p> 259 260 <h3 id=km_tag_usage_expire_datetime>KM_TAG_USAGE_EXPIRE_DATETIME</h3> 261 262 <p>Specifies the date and time at which the key expires for verification and 263 decryption purposes. After this time, any attempt to use a key with 264 <a href="#km_tag_purpose">KM_PURPOSE_VERIFY</a> or <a href="#km_tag_purpose">KM_PURPOSE DECRYPT</a> 265 provided to <a href="#begin">begin</a> must fail with <code>KM_ERROR_KEY_EXPIRED</code>.</p> 266 267 <p>The value is a 64-bit integer representing milliseconds since January 1, 1970.</p> 268 269 <p>This tag is not repeatable.</p> 270 271 <h3 id=km_tag_min_seconds_between_ops>KM_TAG_MIN_SECONDS_BETWEEN_OPS</h3> 272 273 <p>Specifies the minimum amount of time that must elapse between allowed 274 operations using a key. This can be used to rate-limit uses of keys in contexts 275 where unlimited use may enable brute force attacks.</p> 276 277 <p>The value is a 32-bit integer representing seconds between allowed operations.</p> 278 279 <p>When a key with this tag is used in an operation, a timer should be started 280 during the <a href="#finish">finish</a> or <a href="#abort">abort</a> call. Any 281 call to <a href="#begin">begin</a> that is received before the timer indicates 282 that the interval specified by <code>KM_TAG_MIN_SECONDS_BETWEEN_OPS</code> has 283 elapsed must fail with <code>KM_ERROR_KEY_RATE_LIMIT_EXCEEDED</code>. This 284 requirement implies that a trustlet must keep a table of timers for keys 285 with this tag. Because Keymaster memory is often limited, it is acceptable for 286 this table to have a fixed maximum size and for Keymaster to fail operations 287 which attempt to use keys with this tag when the table is full. At least 32 288 in-use keys must be accommodated, and table slots must be aggressively reused 289 when key minimum-usage intervals expire. If an operation fails because the 290 table is full, Keymaster should return <code>KM_ERROR_TOO_MANY_OPERATIONS</code>.</p> 291 292 <p>This tag is not repeatable.</p> 293 294 <h3 id=km_tag_max_uses_per_boot>KM_TAG_MAX_USES_PER_BOOT</h3> 295 296 <p>Specifies the maximum number of times that a key may be used between system 297 reboots. This is another mechanism to rate-limit key use.</p> 298 299 <p>The value is a 32-bit integer representing uses per boot.</p> 300 301 <p>When a key with this tag is used in an operation, a key-associated counter 302 should be incremented during the <a href="#begin">begin</a> call. After the key counter 303 has exceeded this value, all subsequent attempts 304 to use the key must fail with <code>KM_ERROR_MAX_OPS_EXCEEDED</code>, until the device is 305 restarted. This requirement implies that a trustlet must 306 keep a table of use counters for keys with this tag. Because Keymaster memory 307 is often limited, it is acceptable for this table to have a fixed maximum size 308 and for Keymaster to fail operations that attempt to use keys with this tag 309 when the table is full. At least 16 keys must be accommodated. If an operation 310 fails because the table is full, Keymaster should return <code>KM_ERROR_TOO_MANY_OPERATIONS</code>.</p> 311 312 <p>This tag is not repeatable.</p> 313 314 <h3 id=km_tag_user_secure_id>KM_TAG_USER_SECURE_ID</h3> 315 316 <p>Specifies that a key may only be used under a particular secure user 317 authentication state. This tag is mutually exclusive 318 with <a href="#km_tag_no_auth_required">KM_TAG_NO_AUTH_REQUIRED</a>.</p> 319 320 <p>The value is a 64-bit integer specifying the authentication policy state value 321 which must be present in an authentication token (provided to <a href="#begin">begin</a> with 322 the <a href="#km_tag_auth_token">KM_TAG_AUTH_TOKEN</a>) to authorize use of the key. Any 323 call to <a href="#begin">begin</a> with a key with this tag that does not provide an 324 authentication token, or provides an 325 authentication token without a matching policy state value, must fail.</p> 326 327 <p>This tag is repeatable. If any of the provided values matches any policy state 328 value in the authentication token, the key is authorized for use. Otherwise the operation 329 must fail with <code>KM_ERROR_KEY_USER_NOT_AUTHENTICATED</code>.</p> 330 331 <h3 id=km_tag_no_auth_required>KM_TAG_NO_AUTH_REQUIRED</h3> 332 333 <p>Specifies that no authentication is required to use this key. This tag is 334 mutually exclusive with <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a>.</p> 335 336 <p>This tag is boolean, so the possible values are true (if the tag is present) 337 and false (if the tag is not present).</p> 338 339 <p>This tag is not repeatable.</p> 340 341 <h3 id=km_tag_user_auth_type>KM_TAG_USER_AUTH_TYPE</h3> 342 343 <p>Specifies the types of user authenticators that may be used to authorize this 344 key. When Keymaster is requested to perform an operation with a key with this 345 tag, it must receive an authentication token, and the token's 346 <code>authenticator_type</code> field must match the value in the tag. To be 347 precise, it must be true that <code>(ntoh(token.authenticator_type) & 348 auth_type_tag_value) != 0</code>, where <code>ntoh</code> is a function that converts 349 network-ordered integers to host-ordered integers and 350 <code>auth_type_tag_value</code> is the value of this tag.</p> 351 352 <p>The value is a 32-bit integer bitmask of values from the enumeration:</p> 353 354 <pre> 355 typedef enum { 356 HW_AUTH_NONE = 0, 357 HW_AUTH_PASSWORD = 1 << 0, 358 HW_AUTH_FINGERPRINT = 1 << 1, 359 // Additional entries should be powers of 2. 360 HW_AUTH_ANY = UINT32_MAX, 361 } hw_authenticator_type_t; 362 </pre> 363 364 <p>This tag is not repeatable.</p> 365 366 <h3 id=km_tag_auth_timeout>KM_TAG_AUTH_TIMEOUT</h3> 367 368 <p>Specifies the time in seconds for which the key is authorized for use, after 369 authentication. If <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> is present and this tag 370 is not, then the key requires authentication for every 371 usage (see <a href="#begin">begin</a> for the details of the authentication-per-operation flow).</p> 372 373 <p>The value is a 32-bit integer specifying the time in seconds after a successful 374 authentication of the user specified by <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> with 375 the authentication method specified 376 by <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a> that the key can be used.</p> 377 378 <p>This tag is not repeatable.</p> 379 380 <h3 id=km_tag_all_applications>KM_TAG_ALL_APPLICATIONS</h3> 381 382 <p>Reserved for future use.</p> 383 384 <p>This tag is not repeatable.</p> 385 386 <h3 id=km_tag_application_id>KM_TAG_APPLICATION_ID</h3> 387 388 <p>When provided to <a href="#generate_key">generate_key</a> or <a href="#import_key">import_key</a>, 389 this tag specifies data that must be provided during all uses of the key. In 390 particular, calls to <a href="#export_key">export_key</a> and 391 <a href="#get_key_characteristics">get_key_characteristics</a> must 392 provide the same value in the <code>client_id</code> parameter, and 393 calls to <a href="#begin">begin</a> must provide this tag and the 394 same associated data as part of the <code>in_params</code> set. If the correct 395 data is not provided the function must return <code>KM_ERROR_INVALID_KEY_BLOB</code>.</p> 396 397 <p>The content of this tag must be bound to the key <i>cryptographically</i>, 398 meaning it must not be possible for an adversary who has access to all of the 399 secure world secrets but does not have access to the tag content to decrypt the 400 key (without brute-forcing the tag content).</p> 401 402 <p>The value is a blob, an arbitrary-length array of bytes.</p> 403 404 <p>This tag is not repeatable.</p> 405 406 <h3 id=km_tag_application_data>KM_TAG_APPLICATION_DATA</h3> 407 408 <p>When provided to <a href="#generate_key">generate_key</a> or <a href="#import_key">import_key</a>, 409 this tag specifies data that must be provided during all uses of the key. In 410 particular, calls to <a href="#export_key">export_key</a> and 411 <a href="#get_key_characteristics">get_key_characteristics</a> must 412 provide the same value to the <code>client_id</code> parameter, and calls 413 to <a href="#begin">begin</a> must provide this tag and the same associated 414 data as part of the <code>in_params</code> set. If the correct data is not 415 provided, the function must return <code>KM_ERROR_INVALID_KEY_BLOB</code>.</p> 416 417 <p>The content of this tag must be bound to the key <i>cryptographically</i>, 418 meaning it must not be possible for an adversary who has access to all of the 419 secure world secrets but does not have access to the tag content to decrypt the 420 key (without brute-forcing the tag content, which applications can prevent by 421 specifying sufficiently high-entropy content).</p> 422 423 <p>The value is a blob, an arbitrary-length array of bytes.</p> 424 425 <p>This tag is not repeatable.</p> 426 427 <h3 id=km_tag_creation_datetime>KM_TAG_CREATION_DATETIME</h3> 428 429 <p>Specifies the date and time the key was created, in milliseconds since January 430 1, 1970. This tag is optional and informational only.</p> 431 432 <p>This tag is not repeatable.</p> 433 434 <h3 id=km_tag_origin>KM_TAG_ORIGIN</h3> 435 436 <p>Specifies where the key was created, if known. This tag may not be specified 437 during key generation or import, and must be added to the key characteristics 438 by the trustlet.</p> 439 440 <p>The possible values are defined in <code>keymaster_origin_t</code>:</p> 441 442 <pre> 443 typedef enum { 444 KM_ORIGIN_GENERATED = 0, 445 KM_ORIGIN_IMPORTED = 2, 446 KM_ORIGIN_UNKNOWN = 3, 447 } keymaster_key_origin_t 448 </pre> 449 450 <p>The full meaning of the value depends not only on the value but on whether it's 451 found in the hardware-enforced or software-enforced characteristics list.</p> 452 453 <p><code>KM_ORIGIN_GENERATED</code> indicates that Keymaster generated the key. 454 If in the hardware-enforced list, 455 the key was generated in secure hardware and is permanently hardware-bound. If 456 in the software-enforced list, the key was generated in SoftKeymaster and is 457 not hardware-bound.</p> 458 459 <p><code>KM_ORIGIN_IMPORTED</code> indicates that the key was generated outside 460 of Keymaster and imported into 461 Keymaster. If in the hardware-enforced list, it is permanently hardware-bound, 462 although copies outside of secure hardware may exist. If in the 463 software-enforces list, the key was imported into SoftKeymaster and is not 464 hardware-bound.</p> 465 466 <p><code>KM_ORIGIN_UNKNOWN</code> should only appear in the hardware-enforced list. 467 It indicates that the key is 468 hardware-bound, but it is not known whether the key was originally generated in 469 secure hardware or was imported. This only occurs when keymaster0 hardware is 470 being used to emulate keymaster1 services.</p> 471 472 <p>This tag is not repeatable.</p> 473 474 <h3 id=km_tag_rollback_resistant>KM_TAG_ROLLBACK_RESISTANT</h3> 475 476 <p>Indicates that the key is rollback-resistant, meaning that when deleted 477 by <a href="#delete_key">delete_key</a> or <a href="#delete_all_keys">delete_all_keys</a>, 478 the key is guaranteed to be permanently deleted and unusable. It's possible 479 that keys without this tag could be deleted and then restored from backup.</p> 480 481 <p>This tag is boolean, so the possible values are true (if the tag is present) 482 and false (if the tag is not present).</p> 483 484 <p>This tag is not repeatable.</p> 485 486 <h3 id=km_tag_root_of_trust>KM_TAG_ROOT_OF_TRUST</h3> 487 488 <p>Specifies the "root of trust," the key used by verified boot to validate the 489 operating system booted (if any). This tag is never provided to or returned 490 from Keymaster in the key characteristics.</p> 491 492 <h3 id=km_tag_associated_data>KM_TAG_ASSOCIATED_DATA</h3> 493 494 <p>Provides "associated data" for AES-GCM encryption or decryption. This tag is 495 provided to <a href="#update">update</a> and specifies data that is not 496 encrypted/decrypted but is used in computing 497 the GCM tag.</p> 498 499 <p>The value is a blob, an arbitrary-length array of bytes.</p> 500 501 <p>This tag is not repeatable.</p> 502 503 <h3 id=km_tag_nonce>KM_TAG_NONCE</h3> 504 505 <p>Provides or returns a nonce or Initialization Vector (IV) for AES GCM, CBC or 506 CTR encryption or decryption. This tag is provided to <a href="#begin">begin</a> 507 during encryption and decryption operations. It may only be provided to <a href="#begin">begin</a> 508 if the key has <a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a>. If not provided, 509 an appropriate nonce or IV will be randomly generated by 510 Keymaster and returned from begin.</p> 511 512 <p>The value is a blob, an arbitrary-length array of bytes. Allowed lengths depend 513 on the mode: GCM nonces are 12 bytes in length; CBC and CTR IVs are 16 bytes in 514 length.</p> 515 516 <p>This tag is not repeatable.</p> 517 518 <h3 id=km_tag_auth_token>KM_TAG_AUTH_TOKEN</h3> 519 520 <p>Provides an authentication token (see the Authentication page) to 521 <a href="#begin">begin</a>, <a href="#update">update</a> or <a href="#finish">finish</a>, 522 to prove user authentication for a key operation that requires 523 it (key has <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a>).</p> 524 525 <p>The value is a blob which contains a <code>hw_auth_token_t</code> structure.</p> 526 527 <p>This tag is not repeatable.</p> 528 529 <h3 id=km_tag_mac_length>KM_TAG_MAC_LENGTH</h3> 530 531 <p>Provides the requested length of a MAC or GCM authentication tag, in bits.</p> 532 533 <p>The value is the MAC length in bits. It must be a multiple of 8 and must be at 534 least as large as the value of <a href="#km_tag_min_mac_length">KM_TAG_MIN_MAC_LENGTH</a> 535 associated with the key.</p> 536 537 <h2 id=functions>Functions</h2> 538 539 <h3 id=deprecated_functions>Deprecated functions</h3> 540 541 <p>The following functions are in the <code>keymaster1_device_t</code> definition but 542 should not be implemented. The function pointers should be set 543 to <code>NULL</code>:</p> 544 545 <ul> 546 <li><code>generate_keypair</code> 547 <li><code>import_keypair</code> 548 <li><code>get_keypair_public</code> 549 <li><code>delete_keypair</code> 550 <li><code>delete_all</code> 551 <li><code>sign_data</code> 552 <li><code>verify_data</code> 553 </ul> 554 555 <h3 id=general_implementation_guidelines>General implementation guidelines</h3> 556 557 <p>The following guidelines apply to all functions in the API.</p> 558 559 <h4 id=input_pointer_parameters>Input pointer parameters</h4> 560 561 <p>Input pointer parameters that are not used for a given call may be <code>NULL</code>. 562 The caller is not required to provide placeholders. For example, some key 563 types and modes may not use any values from the <code>in_params</code> argument 564 to <a href="#begin">begin</a>, so the caller may set <code>in_params</code> 565 to <code>NULL</code> or provide an empty parameter set. It is also acceptable for the caller to 566 provide unused parameters, and Keymaster methods should not issue errors.</p> 567 568 <p>If a required input parameter is NULL, Keymaster methods should return 569 <code>KM_ERROR_UNEXPECTED_NULL_POINTER</code>.</p> 570 571 <h4 id=output_pointer_parameters>Output pointer parameters</h4> 572 573 <p>Similar to input pointer parameters, unused output pointer parameters 574 may be <code>NULL</code>. If a method needs to return data in an output 575 parameter found to be <code>NULL</code>, it should return <code>KM_ERROR_OUTPUT_PARAMETER_NULL</code>.</p> 576 577 <h4 id=api_misuse>API misuse</h4> 578 579 <p>There are many ways that callers can make requests that don't make sense or are 580 foolish but not technically wrong. Keymaster1 implementations are not required 581 to fail in such cases or issue a diagnostic. Use of too-small keys, 582 specification of irrelevant input parameters, reuse of IVs or nonces, 583 generation of keys with no purposes (hence useless) and the like should not be 584 diagnosed by implementations. Omission of required parameters, specification of 585 invalid required parameters, and similar errors must be diagnosed.</p> 586 587 <p>It is the responsibility of apps, the framework, and Android keystore to ensure 588 that the calls to Keymaster modules are sensible and useful.</p> 589 590 <h3 id=get_supported_algorithms>get_supported_algorithms</h3> 591 592 <p>Returns the list of algorithms supported by the Keymaster hardware 593 implementation. A software implementation must return an empty list; a hybrid 594 implementation must return a list containing only the algorithms that are 595 supported by hardware.</p> 596 597 <p>Keymaster1 implementations must support RSA, EC, AES and HMAC.</p> 598 599 <h3 id=get_supported_block_modes>get_supported_block_modes</h3> 600 601 <p>Returns the list of AES block modes supported by the Keymaster hardware 602 implementation for a specified algorithm and purpose.</p> 603 604 <p>For RSA, EC and HMAC, which are not block ciphers, the method must return an 605 empty list for all valid purposes. Invalid purposes should cause the method to 606 return <code>KM_ERROR_INVALID_PURPOSE</code>.</p> 607 608 <p>Keymaster1 implementations must support ECB, CBC, CTR and GCM for AES 609 encryption and decryption.</p> 610 611 <h3 id=get_supported_padding_modes>get_supported_padding_modes</h3> 612 613 <p>Returns the list of padding modes supported by the Keymaster hardware 614 implementation for a specified algorithm and purpose.</p> 615 616 <p>HMAC and EC have no notion of padding so the method must return an empty list 617 for all valid purposes. Invalid purposes should cause the method to return <code>KM_ERROR_INVALID_PURPOSE</code>.</p> 618 619 <p>For RSA, keymaster1 implementations must support:</p> 620 621 <ul> 622 <li>Unpadded encryption, decryption, signing and verification. For unpadded 623 encryption and signing, if the message is shorter than the public modulus, 624 implementations must left-pad it with zeros. For unpadded decryption and 625 verification, the input length must match the public modulus size. 626 <li>PKCS#1 v1.5 encryption and signing padding modes 627 <li>PSS with a minimum salt length of 20 628 <li>OAEP 629 </ul> 630 631 <p>For AES in ECB and CBC modes, keymaster1 implementations must support no 632 padding and PKCS#7-padding. CTR and GCM modes must support only no padding.</p> 633 634 <h3 id=get_supported_digests>get_supported_digests</h3> 635 636 <p>Returns the list of digest modes supported by the Keymaster hardware 637 implementation for a specified algorithm and purpose.</p> 638 639 <p>No AES modes support or require digesting, so the method must return an empty 640 list for valid purposes.</p> 641 642 <p>Keymaster1 implementations are allowed to implement a subset of the defined 643 digests, but must provide SHA-256. It is strongly recommended that keymaster1 644 implementations provide MD5, SHA1, SHA-224, SHA-256, SHA384 and SHA512 (the 645 full set of defined digests).</p> 646 647 <h3 id=get_supported_import_formats>get_supported_import_formats</h3> 648 649 <p>Returns the list of import formats supported by the Keymaster hardware 650 implementation of a specified algorithm.</p> 651 652 <p>Keymaster1 implementations must support the PKCS#8 format (without password 653 protection) for importing RSA and EC key pairs, and must support RAW import of 654 AES and HMAC key material.</p> 655 656 <h3 id=get_supported_export_formats>get_supported_export_formats</h3> 657 658 <p>Returns the list of export formats supported by the Keymaster hardware 659 implementation of a specified algorithm.</p> 660 661 <p>Keymaster1 implementations must support the X.509 format for exporting RSA and 662 EC public keys. Export of private keys or asymmetric keys must not be 663 supported.</p> 664 665 <h3 id=add_rng_entropy>add_rng_entropy</h3> 666 667 <p>Adds caller-provided entropy to the pool used by the Keymaster1 implementation 668 for generating random numbers, for keys, IVs, etc.</p> 669 670 <p>Keymaster1 implementations must <strong>securely</strong> mix the provided 671 entropy into their pool, which must also contain 672 internally-generated entropy from a hardware random number generator. Mixing 673 must have the property that an attacker with complete control of either 674 the <code>add_rng_entropy</code>-provided bits or the hardware-generated bits, but not both, cannot predict 675 bits generated from the entropy pool with probability greater than .</p> 676 677 <p>Keymaster1 implementations that attempt to estimate the entropy in their 678 internal pool must assume that data provided by <code>add_rng_entropy</code> contains no entropy.</p> 679 680 <h3 id=generate_key>generate_key</h3> 681 682 <p>Generates a new cryptographic key, specifying associated authorizations, which 683 will be permanently bound to the key. Keymaster1 implementations must make it 684 impossible to use a key in any way inconsistent with the authorizations 685 specified at generation time. With respect to authorizations that the secure 686 hardware cannot enforce, the secure hardware's obligation is limited to 687 ensuring that the unenforceable authorizations associated with the key cannot 688 be modified, so that every call to <a href="#get_key_characteristics">get_key_characteristics</a> 689 will return the original value. In addition, the characteristics returned by <code>generate_key</code> 690 must allocate authorizations correctly between the hardware-enforced and 691 software-enforced lists. See <a href="#get_key_characteristics">get_key_characteristics</a> 692 for more details.</p> 693 694 <p>The parameters that must be provided to <code>generate_key</code> depend on the type of key 695 being generated. This section will summarize the 696 required and allowed tags for each type of key. <a href="#km_tag_algorithm">KM_TAG_ALGORITHM</a> 697 is always required, to specify the type.</p> 698 699 <h4 id=rsa_keys>RSA keys</h4> 700 701 <p>The following parameters are required when generating an RSA key.</p> 702 703 <ul> 704 <li><a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> specifies the size of the public 705 modulus, in bits. If omitted, the method must 706 return <code>KM_ERROR_UNSUPPORTED_KEY_SIZE</code>. Values that must be supported are 707 1024, 2048, 3072 and 4096. It is 708 recommended to support all key sizes that are a multiple of 8. 709 <li><a href="#km_tag_rsa_public_exponent">KM_TAG_RSA_PUBLIC_EXPONENT</a> specifies 710 the RSA public exponent value. If omitted, the method must 711 return <code>KM_ERROR_INVALID_ARGUMENT</code>. 712 Implementations must support the values 3 and 65537. It is recommended to 713 support all prime values up to 2^64. 714 </ul> 715 716 <p>The following parameters are not required to generate an RSA key, but creating 717 an RSA key without them will produce a key that is unusable. 718 The <code>generate_key</code> function should not return an error if these parameters are omitted.</p> 719 720 <ul> 721 <li><a href="#km_tag_purpose">KM_TAG_PURPOSE</a> specifies allowed purposes. 722 All purposes must be supported for RSA keys, in 723 any combination. 724 <li><a href="#km_tag_digest">KM_TAG_DIGEST</a> specifies digest algorithms that 725 may be used with the new key. Implementations 726 that do not support all digest algorithms must accept key generation requests 727 that include unsupported digests. The unsupported digests should be placed in 728 the "software-enforced" list in the returned key characteristics. This is 729 because the key will be usable with those other digests, but digesting will be 730 performed in software. Then hardware will be called to perform the operation 731 with <code>KM_DIGEST_NONE</code>. 732 <li><a href="#km_tag_padding">KM_TAG_PADDING</a> specifies the padding modes 733 that may be used with the new key. Implementations 734 that do not support all digest algorithms must place <code>KM_PAD_RSA_PSS</code> 735 and <code>KM_PAD_RSA_OAEP</code> in the software-enforced list of the key 736 characteristics if any unsupported 737 digest algorithms are specified. 738 </ul> 739 740 <h4 id=ecdsa_keys>ECDSA keys</h4> 741 742 <p>Only <a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> is required to generate an 743 ECDSA key. It is used to select the EC group. 744 Implementations must support values 224, 256, 384 and 521, which indicate the 745 NIST p-224, p-256, p-384 and p521 curves, respectively.</p> 746 747 <p><a href="#km_tag_digest">KM_TAG_DIGEST</a> is also needed for a useful ECDSA key, 748 but is not required for generation.</p> 749 750 <h4 id=aes_keys>AES keys</h4> 751 752 <p>Only <a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> is required when 753 generating an AES key. If omitted, the method must return <code>KM_ERROR_UNSUPPORTED_KEY_SIZE</code>. 754 Values that must be supported are 128 and 256. It is recommended to support 755 192-bit AES keys.</p> 756 757 <p>The following parameters are particularly relevant for AES keys, but not 758 required to generate one:</p> 759 760 <ul> 761 <li><code>KM_TAG_BLOCK_MODE</code> specifies the block modes with which the new key may be used. 762 <li><code>KM_TAG_PADDING</code> specifies the padding modes that may be used. This is only relevant for ECB 763 and CBC modes. 764 </ul> 765 766 <p>If the GCM block mode is specified, then <a href="#km_tag_min_mac_length">KM_TAG_MIN_MAC_LENGTH</a> 767 must be provided. If omitted, the method must return 768 <code>KM_ERROR_MISSING_MIN_MAC_LENGTH</code>. The value of the tag must be a multiple of 8 and must 769 be at least 96 and no more than 128.</p> 770 771 <h4 id=hmac_keys>HMAC keys</h4> 772 773 <p>The following parameters are required for HMAC key generation:</p> 774 775 <ul> 776 <li><a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> specifies the key size in bits. Values 777 smaller than 64 and values that are not 778 multiples of 8 must not be supported. All multiples of 8, from 64 to 512, must 779 be supported. Larger values may be supported. 780 <li><a href="#km_tag_min_mac_length">KM_TAG_MIN_MAC_LENGTH</a> specifies the minimum length of 781 MACs that can be generated or verified with 782 this key. The value must be a multiple of 8 and must be at least 64. 783 <li><a href="#km_tag_digest">KM_TAG_DIGEST</a> specifies the digest algorithm for the key. Exactly 784 one digest must be 785 specified, otherwise return <code>KM_ERROR_UNSUPPORTED_DIGEST</code>. If the digest is not supported 786 by the trustlet, return <code>KM_ERROR_UNSUPPORTED_DIGEST</code>. 787 </ul> 788 789 <h4 id=key_characteristics>Key characteristics</h4> 790 791 <p>If the characteristics argument is non-NULL, <code>generate_key</code> must return the newly-generated 792 key's characteristics divided appropriately 793 into hardware-enforced and software-enforced lists. See <a href="#get_key_characteristics">get_key_characteristics</a> 794 for a description of which characteristics go in which list. The returned 795 characteristics must include all of the parameters specified to key generation, 796 except <a href="#km_tag_application_id">KM_TAG_APPLICATION_ID</a> and 797 <a href="#km_tag_application_data">KM_TAG_APPLICATION_DATA</a>. 798 If these tags were included in the key parameters, they must be removed from 799 the returned characteristics; it must not be possible to find their values by 800 examining the returned key blob. However, they must be cryptographically bound 801 to the key blob, so that if the correct values are not provided when the key is 802 used, usage will fail. Similarly, <a href="#km_tag_root_of_trust">KM_TAG_ROOT_OF_TRUST</a> must 803 be cryptographically bound to the key, but it may not be specified during 804 key creation or import and must never be returned.</p> 805 806 <p>In addition to the provided tags, the trustlet must also 807 add <a href="#km_tag_origin">KM_TAG_ORIGIN</a>, with the value <code>KM_ORIGIN_GENERATED</code>, 808 and if the key is rollback resistant, <a href="#km_tag_rollback_resistant">KM_TAG_ROLLBACK_RESISTANT</a>.</p> 809 810 <h4 id=rollback_resistance>Rollback resistance </h4> 811 812 <p>Rollback resistance means that once a key is deleted with 813 <a href="#delete_key">delete_key</a> or <a href="#delete_all_keys">delete_all_keys</a>, 814 it is guaranteed by secure hardware never to be usable again. Implementations 815 without rollback resistance will typically return generated or imported key 816 material to the caller as a key blob, an encrypted and authenticated form. When 817 keystore deletes the key blob, the key is gone, but an attacker who has 818 previously managed to retrieve the key material can potentially restore it to 819 the device.</p> 820 821 <p>A key is rollback resistant if the secure hardware guarantees that deleted keys 822 cannot be restored later. This is generally done by storing additional key 823 metadata in a trusted location that cannot be manipulated by an attacker. On 824 mobile devices, the mechanism used for this is usually Replay Protected Memory 825 Blocks (RPMB). Because the number of keys that may be created is essentially 826 unbounded and the trusted storage used for rollback resistance may be limited 827 in size, it is required that this method succeed even if rollback resistance 828 cannot be provided for the new key. In that case, 829 <a href="#km_tag_rollback_resistant">KM_TAG_ROLLBACK_RESISTANT</a> should not be 830 added to the key characteristics.</p> 831 832 <h3 id=get_key_characteristics>get_key_characteristics</h3> 833 834 <p>Returns parameters and authorizations associated with the provided key, divided 835 into two sets: hardware-enforced and software-enforced. The description here 836 applies equally to the key characteristics lists returned 837 by <a href="#generate_key">generate_key</a> and <a href="#import_key">import_key</a>.</p> 838 839 <p>If <code>KM_TAG_APPLICATION_ID</code> was provided during key generation 840 or import, the same value must provided to 841 this method in the <code>client_id</code> argument. Otherwise, the 842 method must return <code>KM_ERROR_INVALID_KEY_BLOB</code>. Similarly, 843 if <code>KM_TAG_APPLICATION_DATA </code>was provided during generation 844 or import, the same value must be provided to 845 this method in the <code>app_data</code> argument.</p> 846 847 <p>The characteristics returned by this method completely describe the type and 848 usage of the specified key.</p> 849 850 <p>The general rule for deciding whether a given tag belongs in the 851 hardware-enforced or software-enforced list is that if the meaning of the tag 852 is fully assured by secure hardware, it is hardware-enforced. Otherwise, it's 853 software enforced. Below is a list of specific tags whose correct allocation 854 may be unclear:</p> 855 856 <ul> 857 <li><a href="#km_tag_algorithm">KM_TAG_ALGORITHM</a>, <a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a>, 858 and <a href="#km_tag_rsa_public_exponent">KM_TAG_RSA_PUBLIC_EXPONENT</a> are 859 intrinsic properties of the key. For any key that is secured by hardware, 860 these will be in the hardware-enforced list, because the statement that, for 861 example, "This RSA key material is only used as an RSA key" is enforced by 862 hardware because the hardware will use it in no other way and software has no 863 access to the key material and cannot use it at all. 864 <li><a href="#km_tag_digest">KM_TAG_DIGEST</a> values that are supported by the 865 secure hardware are to be placed in the 866 hardware-supported list. Unsupported digests go in the software-supported list. 867 <li><a href="#km_tag_padding">KM_TAG_PADDING</a> values generally go in the 868 hardware-supported list, but if there is a 869 possibility that a specific padding mode may have to be performed by software, 870 they go in the software-enforced list. Such a possibility arises for RSA keys 871 that permit PSS or OAEP padding with digest algorithms that are not supported 872 by the secure hardware. 873 <li><a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> and 874 <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a> are hardware-enforced 875 only if user authentication is hardware enforced. For 876 that to be true, the Keymaster trustlet and the relevant authentication 877 trustlet must both be secure and must share a secret HMAC key used to sign and 878 validate authentication tokens. See the Authentication page for details. 879 <li><a href="#km_tag_active_datetime">KM_TAG_ACTIVE_DATETIME</a>, 880 <a href="#km_tag_origination_expire_datetime">KM_TAG_ORIGINATION_EXPIRE_DATETIME</a>, 881 and <a href="#km_tag_usage_expire_datetime">KM_TAG_USAGE_EXPIRE_DATETIME</a> tags 882 require access to a verifiably correct wall clock. Most secure hardware 883 will only have access to time information provided by the non-secure OS, which 884 means the tags are software-enforced. 885 <li><a href="#km_tag_origin">KM_TAG_ORIGIN</a> is always in the hardware list for 886 hardware-bound keys. Its presence in that 887 list is the way higher layers determine that a key is hardware-backed. 888 </ul> 889 890 <h3 id=import_key>import_key</h3> 891 892 <p>Imports key material into Keymaster hardware. Key definition parameters and 893 output characteristics are handled the same as for <code>generate_key</code>, 894 with the following exceptions:</p> 895 896 <ul> 897 <li><a href="#km_tag_key_size">KM_TAG_KEY_SIZE</a> and 898 <a href="#km_tag_rsa_public_exponent">KM_TAG_RSA_PUBLIC_EXPONENT</a> (for RSA keys only) 899 are not required in the input parameters. If not provided, 900 the trustlet must deduce the values from the provided key material and add 901 appropriate tags and values to the key characteristics. If the parameters are 902 provided, the trustlet must validate them against the key material. In the 903 event of a mismatch, the method must return <code>KM_ERROR_IMPORT_PARAMETER_MISMATCH</code>. 904 <li>The returned <a href="#km_tag_origin">KM_TAG_ORIGIN</a> must have the 905 value <code>KM_ORIGIN_IMPORTED</code>. 906 </ul> 907 908 <h3 id=export_key>export_key</h3> 909 910 <p>Exports a public key from a Keymaster RSA or EC key pair.</p> 911 912 <p>If <code>KM_TAG_APPLICATION_ID</code> was provided during key generation or import, 913 the same value must provided to 914 this method in the <code>client_id</code> argument. Otherwise, the method must return 915 <code>KM_ERROR_INVALID_KEY_BLOB</code>. Similarly, if <code>KM_TAG_APPLICATION_DATA</code> 916 was provided during generation or import, the same value must be provided to 917 this method in the <code>app_data</code> argument.</p> 918 919 <h3 id=delete_key>delete_key</h3> 920 921 <p>Deletes the provided key. This method is optional, and will likely be 922 implemented only by Keymaster modules that provide rollback resistance.</p> 923 924 <h3 id=delete_all_keys>delete_all_keys</h3> 925 926 <p>Deletes all keys. This method is optional, and will likely be implemented only 927 by Keymaster modules that provide rollback resistance.</p> 928 929 <h3 id=begin>begin</h3> 930 931 <p>Begins a cryptographic operation, using the specified key, for the specified 932 purpose, with the specified parameters (as appropriate), and returns an 933 operation handle which is used with <a href="#update">update</a> and <a 934 href="#finish">finish</a> to complete the operation. The operation handle is 935 also used as the "challenge" token in authenticated operations, and for such 936 operations must be included in the <code>challenge</code> field of the 937 authentication token.</p> 938 939 <p>A Keymaster implementation must support at least 16 concurrent 940 operations. Keystore will use up to 15, leaving one for vold to use for password 941 encryption. When Keystore has 15 operations in progress (<code>begin</code> has 942 been called, but <code>finish</code> or <code>abort</code> have not yet been 943 called) and it receives a request to begin a 16th, it will call 944 <code>abort</code> on the least-recently used operation to reduce the number of 945 active operations to 14 before calling <code>begin</code> to start the 946 newly-requested operation. 947 948 <p>If <a href="#km_tag_application_id">KM_TAG_APPLICATION_ID</a> or <a 949 href="#km_tag_application_data">KM_TAG_APPLICATION_DATA</a> were specified 950 during key generation or import, calls to <code>begin</code> must include those 951 tags with the originally-specified values in the <code>in_params</code> argument 952 to this method.</p> 953 954 <h4 id=authorization_enforcement>Authorization enforcement</h4> 955 956 <p>During this method, the following key authorizations must be enforced by the 957 trustlet if the implementation placed them in the "hardware-enforced" 958 characteristics and if the operation is not a public key operation. Public key 959 operations, meaning <code>KM_PURPOSE_ENCRYPT</code> and <code>KM_PURPOSE_VERIFY</code>, 960 with RSA or EC keys, must be allowed to succeed even if authorization 961 requirements are not met.</p> 962 963 <ul> 964 <li><a href="#km_tag_purpose">KM_TAG_PURPOSE</a> requires that the purpose specified 965 for this method match one of the purposes 966 in the key authorizations, unless the requested operation is a public key 967 operation, meaning that the key is RSA or EC and the purpose is <code>KM_PURPOSE_ENCRYPT</code> 968 or <code>KM_PURPOSE_VERIFY</code>. Note that <code>KM_PURPOSE_ENCRYPT</code> is not valid for EC keys. 969 Begin should return <code>KM_ERROR_UNSUPPORTED_PURPOSE</code> in that case. 970 <li><a href="#km_tag_active_datetime">KM_TAG_ACTIVE_DATETIME</a> requires comparison with a trusted 971 UTC time source. If the current date and 972 time is prior to the tag value, the method must return <code>KM_ERROR_KEY_NOT_YET_VALID</code>. 973 <li><a href="#km_tag_origination_expire_datetime">KM_TAG_ORIGINATION_EXPIRE_DATETIME</a> requires 974 comparison with a trusted UTC time source. If the current date and 975 time is later than the tag value and the purpose is <code>KM_PURPOSE_ENCRYPT</code> or <code>KM_PURPOSE_SIGN</code>, 976 the method must return <code>KM_ERROR_KEY_EXPIRED</code>. 977 <li><a href="#km_tag_usage_expire_datetime">KM_TAG_USAGE_EXPIRE_DATETIME</a> requires comparison with a 978 trusted UTC time source. If the current date and 979 time is later than the tag value and the purpose is <code>KM_PURPOSE_DECRYPT</code> or <code>KM_PURPOSE_VERIFY</code>, 980 the method must return <code>KM_ERROR_KEY_EXPIRED</code>. 981 <li><a href="#km_tag_min_seconds_between_ops">KM_TAG_MIN_SECONDS_BETWEEN_OPS</a> requires comparison with a 982 trusted relative timer indicating the last use of 983 the key. If the last use time plus the tag value is less than the current time, 984 the method must return <code>KM_ERROR_KEY_RATE_LIMIT_EXCEEDED</code>. See the tag description for 985 important implementation requirements. 986 <li><a href="#km_tag_max_uses_per_boot">KM_TAG_MAX_USES_PER_BOOT</a> requires comparison against a 987 secure counter that tracks the uses of the key 988 since boot time. If the count of previous uses exceeds the tag value, the 989 method must return <code>KM_ERROR_KEY_MAX_OPS_EXCEEDED</code>. 990 <li><a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> is enforced by this method only 991 if the key also has <a href="#km_tag_auth_timeout">KM_TAG_AUTH_TIMEOUT</a>. If the key has both, 992 then this method must have received a <a href="#km_tag_auth_token">KM_TAG_AUTH_TOKEN</a> in 993 <code>in_params</code> and that token must be valid, meaning that the HMAC field validates correctly. 994 In addition, at least one of the <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_ID</a> 995 values from the key must match at least one of the secure ID values in the 996 token. Finally, the key must also have a <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a> and 997 it must match the auth type in the token. If any of these requirements is 998 not met, the method must return <code>KM_ERROR_KEY_USER_NOT_AUTHENTICATED</code>. 999 <li><a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a> allows the caller to specify a nonce 1000 or initialization vector (IV). If the key 1001 does not have this tag but the caller provided <a href="#km_tag_nonce">KM_TAG_NONCE</a> to this method, 1002 <code>KM_ERROR_CALLER_NONCE_PROHIBITED</code> must be returned. 1003 <li><a href="#km_tag_bootloader_only">KM_TAG_BOOTLOADER_ONLY</a> specifies that the key may only be 1004 used by the bootloader. If this method is 1005 called with a bootloader-only key after the bootloader has finished executing, 1006 it must return <code>KM_ERROR_INVALID_KEY_BLOB</code>. 1007 </ul> 1008 1009 <h4 id=rsa_keys>RSA keys</h4> 1010 1011 <p>All RSA key operations must specify exactly one padding mode in <code>in_params</code>. If 1012 unspecified or specified more than once, the method must return <code>KM_ERROR_UNSUPPORTED_PADDING_MODE</code>.</p> 1013 1014 <p>RSA signing and verification operations require a digest, as do RSA encryption 1015 and decryption operations with OAEP padding mode. For those cases, the caller 1016 must specify exactly one digest in <code>in_params</code>. If unspecified or specified more than once, 1017 the method must return <code>KM_ERROR_UNSUPPORTED_DIGEST</code>.</p> 1018 1019 <p>Private key operations (<code>KM_PURPOSE_DECYPT</code> and <code>KM_PURPOSE_SIGN</code>) require 1020 authorization of digest and padding, which means that the specified 1021 values must be in the key authorizations. If not, the method must return <code>KM_ERROR_INCOMPATIBLE_DIGEST</code> 1022 or <code>KM_ERROR_INCOMPATIBLE_PADDING</code>, as appropriate. Public key operations 1023 (<code>KM_PURPOSE_ENCRYPT</code> and <code>KM_PURPOSE_VERIFY</code>) are permitted with 1024 unauthorized digest or padding.</p> 1025 1026 <p>With the exception of <code>KM_PAD_NONE</code>, all RSA padding modes are applicable only to 1027 certain purposes. Specifically, <code>KM_PAD_RSA_PKCS1_1_5_SIGN</code> and <code>KM_PAD_RSA_PSS</code> 1028 only support signing and verification, while <code>KM_PAD_RSA_PKCS1_1_1_5_ENCRYPT</code> and 1029 <code>KM_PAD_RSA_OAEP</code> only support encryption and decryption. The method must return 1030 <code>KM_ERROR_UNSUPPORTED_PADDING_MODE</code> if the specified mode does not support the specified purpose.</p> 1031 1032 <p>There are some important interactions between padding modes and digests:</p> 1033 1034 <ul> 1035 1036 <li><code>KM_PAD_NONE</code> indicates that a "raw" RSA operation will be 1037 performed. If signing or verifying, <code>KM_DIGEST_NONE</code> must be 1038 specified for the digest. No digest is required for unpadded encryption or 1039 decryption. 1040 1041 <li><code>KM_PAD_RSA_PKCS1_1_5_SIGN</code> padding requires a digest. The 1042 digest may be <code>KM_DIGEST_NONE</code>, in which case the Keymaster 1043 implementation cannot build a proper PKCS#1 v1.5 signature structure, because 1044 it cannot add the DigestInfo structure. Instead, the implementation must 1045 construct <code>0x00 || 0x01 || PS || 0x00 || M</code>, where M is the 1046 provided message and PS is the padding string. The size of the RSA key must be 1047 at least 11 bytes larger than the message, otherwise the method must return 1048 <code>KM_ERROR_INVALID_INPUT_LENGTH</code>. 1049 1050 <li><code>KM_PAD_RSA_PKCS1_1_1_5_ENCRYPT</code> padding does not require a digest. 1051 1052 <li><code>KM_PAD_RSA_PSS</code> padding requires a digest, which may not be 1053 <code>KM_DIGEST_NONE</code>. If <code>KM_DIGEST_NONE</code> is specified, the 1054 method must return <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>. In addition, the 1055 size of the RSA key must be at least 22 bytes larger than the output size of 1056 the digest. Otherwise, the method must return 1057 <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>. 1058 1059 <li><code>KM_PAD_RSA_OAEP</code> padding requires a digest, which may not be 1060 <code>KM_DIGEST_NONE</code>. If <code>KM_DIGEST_NONE</code> is specified, the 1061 method must return <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>. 1062 1063 </ul> 1064 1065 <h4 id=ec_keys>EC keys</h4> 1066 1067 <p>EC key operations must specify exactly one padding mode in <code>in_params</code>. 1068 If unspecified or specified more than once, 1069 return <code>KM_ERROR_UNSUPPORTED_PADDING_MODE</code>.</p> 1070 1071 <p>Private key operations (<code>KM_PURPOSE_SIGN</code>) require authorization of the 1072 digest, which means that the specified value must be in the key authorizations. 1073 If not, return <code>KM_ERROR_INCOMPATIBLE_DIGEST</code>. 1074 Public key operations (<code>KM_PURPOSE_VERIFY</code>) are permitted with unauthorized digest or padding.</p> 1075 1076 <h4 id=aes_keys>AES keys</h4> 1077 1078 <p>AES key operations must specify exactly one block mode and one padding mode in <code>in_params</code>. 1079 If either value is unspecified or specified more than once, return <code>KM_ERROR_UNSUPPORTED_BLOCK_MODE</code> or 1080 <code>KM_ERROR_UNSUPPORTED_PADDING_MODE</code>. The specified modes must be authorized by the key. 1081 Otherwise, the method must 1082 return <code>KM_ERROR_INCOMPATIBLE_BLOCK_MODE</code> or <code>KM_ERROR_INCOMPATIBLE_PADDING_MODE</code>.</p> 1083 1084 <p>If the block mode is <code>KM_MODE_GCM</code>, <code>in_params</code> must specify <code>KM_TAG_MAC_LENGTH</code>, and the 1085 specified value must be a multiple of 8 and must not be greater than 1086 128, or less than the value of <code>KM_TAG_MIN_MAC_LENGTH</code> in the key authorizations. For MAC lengths greater than 128 or non-multiples of 1087 8, return <code>KM_ERROR_UNSUPPORTED_MAC_LENGTH</code>. For values less than the key's minimum length, return <code>KM_ERROR_INVALID_MAC_LENGTH</code>.</p> 1088 1089 <p>If the block mode is <code>KM_MODE_GCM</code> or <code>KM_MODE_CTR</code>, the specified padding mode must 1090 be <code>KM_PAD_NONE</code>. For <code>KM_MODE_ECB</code> or <code>KM_MODE_CBC</code>, the mode may 1091 be <code>KM_PAD_NONE</code> or <code>KM_PAD_PKCS7</code>. If the padding mode doesn't meet these 1092 requirements, return <code>KM_ERROR_INCOMPATIBLE_PADDING_MODE</code>.</p> 1093 1094 <p>If the block mode is <code>KM_MODE_CBC</code>, <code>KM_MODE_CTR</code>, or <code>KM_MODE_GCM</code>, an initialization vector or nonce is needed. 1095 In most cases, callers should not 1096 provide an IV or nonce and the Keymaster implementation must generate a random 1097 IV or nonce and return it via <a href="#km_tag_nonce">KM_TAG_NONCE</a> in <code>out_params</code>. CBC 1098 and CTR IVs are 16 bytes. GCM nonces are 12 bytes. If the key 1099 authorizations contain <a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a>, then the caller may 1100 provide an IV/nonce with <a href="#km_tag_nonce">KM_TAG_NONCE</a> in <code>in_params</code>. If a 1101 nonce is provided when <a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a> is not authorized, 1102 return <code>KM_ERROR_CALLER_NONCE_PROHIBITED</code>. If a nonce is not provided when 1103 <a href="#km_tag_caller_nonce">KM_TAG_CALLER_NONCE</a> is authorized, generate a random IV/nonce.</p> 1104 1105 <h4 id=hmac_keys>HMAC keys</h4> 1106 1107 <p>HMAC key operations must specify <code>KM_TAG_MAC_LENGTH</code> in <code>in_params</code>. 1108 The specified value must be a multiple of 8 and must not be greater than the 1109 digest length, or less than the value of <code>KM_TAG_MIN_MAC_LENGTH</code> in the key authorizations. 1110 For MAC lengths greater than the digest length or 1111 non-multiples of 8, return <code>KM_ERROR_UNSUPPORTED_MAC_LENGTH</code>. For values less than 1112 the key's minimum length, return <code>KM_ERROR_INVALID_MAC_LENGTH</code>.</p> 1113 1114 <h3 id=update>update</h3> 1115 1116 <p>Provides data to process in an ongoing operation started with <a href="#begin">begin</a>. 1117 The operation is specified by the <code>operation_handle</code> parameter.</p> 1118 1119 <p>To provide more flexibility for buffer handling, implementations of this method 1120 have the option of consuming less data than was provided. The caller is 1121 responsible for looping to feed the rest of the data in subsequent calls. The 1122 amount of input consumed must be returned in the <code>input_consumed</code> parameter. 1123 Implementations must always consume at least one byte, unless the 1124 operation cannot accept any more; if more than zero bytes are provided and zero 1125 bytes are consumed, callers will consider this an error and abort the 1126 operation.</p> 1127 1128 <p>Implementations may also choose how much data to return, as a result of the 1129 update. This is only relevant for encryption and decryption operations, since 1130 signing and verification return no data until <a href="#finish">finish</a>. It is recommended 1131 to return data as early as possible, rather than buffer it.</p> 1132 1133 <h4 id=error_handling>Error handling</h4> 1134 1135 <p>If this method returns an error code other than <code>KM_ERROR_OK</code>, the operation is 1136 aborted and the operation handle must be invalidated. Any 1137 future use of the handle, with this method or <a href="#finish">finish</a> or <a href="#abort">abort</a>, 1138 must return <code>KM_ERROR_INVALID_OPERATION_HANDLE</code>.</p> 1139 1140 <h4 id=authorization_enforcement>Authorization enforcement</h4> 1141 1142 <p>Key authorization enforcement is performed primarily in <a href="#begin">begin</a>. The one exception 1143 is the case where the key has:</p> 1144 1145 <ul> 1146 <li>One or more <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_IDs</a>, and 1147 <li>Does not have a <a href="#km_tag_auth_timeout">KM_TAG_AUTH_TIMEOUT</a> 1148 </ul> 1149 1150 <p>In this case, the key requires an authorization per operation, and the update 1151 method must receive a <a href="#km_tag_auth_token">KM_TAG_AUTH_TOKEN</a> in the <code>in_params</code> argument. 1152 The token must be valid (HMAC must verify) and it must contain a 1153 matching secure user ID, must match the key's <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a>, and must 1154 contain the operation handle of the current operation in the 1155 challenge field. If these requirements aren't met, return <code>KM_ERROR_KEY_USER_NOT_AUTHENTICATED</code>.</p> 1156 1157 <p>The caller must provide the authentication token to every call to <a href="#update">update</a> and 1158 <a href="#finish">finish</a>. The implementation need only validate the token once if it prefers.</p> 1159 1160 <h4 id=rsa_keys>RSA keys</h4> 1161 1162 <p>For signing and verification operations with <code>KM_DIGEST_NONE</code>, this method must accept 1163 the entire block to be signed or verified in a single 1164 update. It may not consume only a portion of the block. It still must accept 1165 the data in multiple updates if the caller chooses to provide it that way, 1166 however. If the caller provides more data to sign than can be used (length of 1167 data exceeds RSA key size), return <code>KM_ERROR_INVALID_INPUT_LENGTH</code>.</p> 1168 1169 <h4 id=ecdsa_keys>ECDSA keys</h4> 1170 1171 <p>For signing and verification operations with <code>KM_DIGEST_NONE</code>, this method must accept the 1172 entire block to be signed or verified in a single 1173 update. This method may not consume only a portion of the block.</p> 1174 1175 <p>However, this method still must accept the data in multiple updates if the 1176 caller chooses to provide it that way. If the caller provides more data to sign 1177 than can be used, the data should be silently truncated. (This differs from the 1178 handling of excess data provided in similar RSA operations. The reason for this 1179 is compatibility with legacy clients.)</p> 1180 1181 <h4 id=aes_keys>AES keys</h4> 1182 1183 <p>AES GCM mode supports "associated authentication data," provided via the 1184 <a href="#km_tag_associated_data">KM_TAG_ASSOCIATED_DATA</a> tag in the <code>in_params</code> argument. 1185 The associated data may be provided in repeated calls (important if 1186 the data is too large to send in a single block) but must always precede data 1187 to be encrypted or decrypted. An update call may receive both associated data 1188 and data to encrypt/decrypt, but subsequent updates may not include associated 1189 data. If the caller provides associated data to an update call after a call 1190 that includes data to encrypt/decrypt, return <code>KM_ERROR_INVALID_TAG</code>.</p> 1191 1192 <p>For GCM encryption, the tag is appended to the ciphertext by <a href="#finish">finish</a>. 1193 During decryption, the last <code>KM_TAG_MAC_LENGTH</code> bytes of the data provided to the last 1194 update call is the tag. Since a given 1195 invocation of <a href="#update">update</a> cannot know if it's the last invocation, it must process all but the tag 1196 length and buffer the possible tag data for processing during <a href="#finish">finish</a>.</p> 1197 1198 <h3 id=finish>finish</h3> 1199 1200 <p>Finished an ongoing operation started with <a href="#begin">begin</a>, processing all of the 1201 as-yet-unprocessed data provided by <a href="#update">update</a>(s).</p> 1202 1203 <p>This method is the last one called in an operation, so all processed data must 1204 be returned.</p> 1205 1206 <p>Whether it completes successfully or returns an error, this method finalizes 1207 the operation and therefore invalidates the provided operation handle. Any 1208 future use of the handle, with this method or <a href="#update">update</a> or 1209 <a href="#abort">abort</a>, must return <code>KM_ERROR_INVALID_OPERATION_HANDLE</code>.</p> 1210 1211 <p>Signing operations return the signature as the output. Verification operations 1212 accept the signature in the <code>signature</code> parameter, and return no output.</p> 1213 1214 <h4 id=authorization_enforcement>Authorization enforcement</h4> 1215 1216 <p>Key authorization enforcement is performed primarily in <a href="#begin">begin</a>. The one exception is the case where the key has:</p> 1217 1218 <ul> 1219 <li>One or more <a href="#km_tag_user_secure_id">KM_TAG_USER_SECURE_IDs</a>, and 1220 <li>Does not have a <a href="#km_tag_auth_timeout">KM_TAG_AUTH_TIMEOUT</a> 1221 </ul> 1222 1223 <p>In this case, the key requires an authorization per operation, and the update 1224 method must receive a <a href="#km_tag_auth_token">KM_TAG_AUTH_TOKEN</a> in the <code>in_params</code> argument. 1225 The token must be valid (HMAC must verify) and it must contain a 1226 matching secure user ID, must match the key's <a href="#km_tag_mac_length">KM_TAG_USER_AUTH_TYPE</a>, and must 1227 contain the operation handle of the current operation in the 1228 challenge field. If these requirements aren't met, return <code>KM_ERROR_KEY_USER_NOT_AUTHENTICATED</code>.</p> 1229 1230 <p>The caller must provide the authentication token to every call to <a href="#update">update</a> and <a href="#finish">finish</a>. 1231 The implementation need only validate the token once if it prefers.</p> 1232 1233 <h4 id=rsa_keys>RSA keys</h4> 1234 1235 <p>Some additional requirements, depending on the padding mode:</p> 1236 1237 <ul> 1238 <li><strong>KM_PAD_NONE</strong>. For unpadded signing and encryption operations, if the provided data is 1239 shorter than the key, the data must be zero-padded on the left before 1240 signing/encryption. If the data is the same length as the key but numerically 1241 larger, return <code>KM_ERROR_INVALID_ARGUMENT</code>. For verification and decryption operations, the data must be exactly as long 1242 as the key. Otherwise, return <code>KM_ERROR_INVALID_INPUT_LENGTH.</code> 1243 <li><strong>KM_PAD_RSA_PSS</strong>. For PSS-padded signature operations, the PSS salt must be at least 20 bytes 1244 in length and randomly-generated. The salt may be longer; the reference 1245 implementation uses maximally-sized salt. The digest specified with <a href="#km_tag_digest">KM_TAG_DIGEST</a> in 1246 <code>input_params</code> on <a href="#begin">begin</a> is used as the PSS digest algorithm, and SHA1 is used as the MGF1 digest 1247 algorithm. 1248 <li><strong>KM_PAD_RSA_OAEP</strong>. The digest specified with <a href="#km_tag_digest">KM_TAG_DIGEST</a> in 1249 <code>input_params</code> on <a href="#begin">begin</a> is used as the OAEP digest algorithm, and SHA1 is used as the MGF1 digest 1250 algorithm. 1251 </ul> 1252 1253 <h4 id=ecdsa_keys>ECDSA keys</h4> 1254 1255 <p>If the data provided for unpadded signing or verification is too long, truncate 1256 it.</p> 1257 1258 <h4 id=aes_keys>AES keys</h4> 1259 1260 <p>Some additional requirements, depending on block mode:</p> 1261 1262 <ul> 1263 <li><strong>KM_MODE_ECB</strong> or <strong>KM_MODE_CBC</strong>. If padding is <code>KM_PAD_NONE</code> and the 1264 data length is not a multiple of the AES block size, return <code>KM_ERROR_INVALID_INPUT_LENGTH</code>. If 1265 padding is <code>KM_PAD_PKCS7</code>, pad the data per the PKCS#7 specification. Note that PKCS#7 requires that if 1266 the data is a multiple of the block length, an additional padding block must be 1267 added. 1268 <li><strong>KM_MODE_GCM</strong>. During encryption, after processing all plaintext, compute the 1269 tag (<a href="#km_tag_mac_length">KM_TAG_MAC_LENGTH</a> bytes) and append it to the returned ciphertext. 1270 During decryption, process 1271 the last <a href="#km_tag_mac_length">KM_TAG_MAC_LENGTH</a> bytes as the tag. If tag verification fails, 1272 return <code>KM_ERROR_VERIFICATION_FAILED</code>. 1273 </ul> 1274 1275 <h3 id=abort>abort</h3> 1276 1277 <p>Aborts the in-progress operation. After the call to abort, return <code>KM_ERROR_INVALID_OPERATION_HANDLE</code> for 1278 any subsequent use of the provided operation handle with <a href="#update">update</a>, 1279 <a href="#finish">finish</a>, or <a href="#abort">abort</a>.</p> 1280
