ash / components / arc / mojom / keymaster.mojom [blame]

// Copyright 2019 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Next MinVersion: 1

// This file defines the mojo interface between Android and Chrome OS for the
// keymaster implementation used in ARC.

module arc.mojom;

// Host is implemented in Chrome. Listens until server and instance come online
// and forwards a server handle to the instance.
interface KeymasterHost {
  GetServer@0() => (pending_remote<KeymasterServer>? server_remote);
};

// Instance is implemented in ARC. Retrieves a server pointer from the host and
// uses it to fulfill Android Keymaster operations.
interface KeymasterInstance {
  // Establishes full-duplex communication with the host.
  Init@0(pending_remote<KeymasterHost> host_remote) => ();
};

// Server is implemented in arc-keymasterd in Chrome OS. This interface is the
// mojo equivalent of the Keymaster 3.0 HIDL interface. Please refer to
// Android's IKeymasterDevice.hal for a more detailed description on how the
// methods and structs below should function.
interface KeymasterServer {

  // Sets the Android version information used.
  SetSystemVersion@0(uint32 os_version, uint32 os_patchlevel);

  AddRngEntropy@1(array<uint8> data) => (int32 error);

  // Returns the characteristics of the specified key if it is valid.
  GetKeyCharacteristics@2(GetKeyCharacteristicsRequest request) =>
      (GetKeyCharacteristicsResult response);

  GenerateKey@3(array<KeyParameter> key_params) => (GenerateKeyResult response);

  ImportKey@4(ImportKeyRequest request) => (ImportKeyResult response);

  // Exports a public key, returning the key in the specified format.
  ExportKey@5(ExportKeyRequest request) => (ExportKeyResult response);

  // Generates a signed X.509 certificate chain attesting to the presence of
  // keyToAttest in Keymaster.
  AttestKey@6(AttestKeyRequest request) => (AttestKeyResult result);

  // Upgrades a key generated by an older version of the Keymaster.
  UpgradeKey@7(UpgradeKeyRequest request) => (UpgradeKeyResult response);

  DeleteKey@8(array<uint8> key_blob) => (int32 error);

  DeleteAllKeys@9() => (int32 error);

  // Begins a cryptographic operation using the specified key.
  Begin@10(BeginRequest request) => (BeginResult result);

  // Provides data and possibly receives output from an ongoing operation.
  Update@11(UpdateRequest request) => (UpdateResult response);

  // Finalizes a cryptographic operation and invalidates operation handle.
  Finish@12(FinishRequest request) => (FinishResult response);

  // Aborts an operation and invalidates the operation handle.
  Abort@13(uint64 op_handle) => (int32 error);
};

////////////////////////////////////////////////////////////////////////////////
// KeymasterServer helper enums and structs

[Extensible]
enum KeyPurpose {
  ENCRYPT = 0,    // Usable with RSA, EC and AES keys.
  DECRYPT = 1,    // Usable with RSA, EC and AES keys.
  SIGN = 2,       // Usable with RSA, EC and HMAC keys.
  VERIFY = 3,     // Usable with RSA, EC and HMAC keys.
  DERIVE_KEY = 4, // Usable with EC keys.
  WRAP_KEY = 5,   // Usable with wrapping keys.
};

[Extensible]
enum KeyFormat {
  X509 = 0,  // for public key export
  PKCS8 = 1, // for asymmetric key pair import
  RAW = 3,   // for symmetric key import and export
};

// Helper union for key parameter values.
union IntegerKeyParam {
  bool boolean_value;  // KM_BOOL
  uint32 integer;      // KM_ENUM, KM_ENUM_REP, KM_INT and KM_INT_REP
  uint64 long_integer; // KM_LONG
  uint64 date_time;    // KM_DATE
  array<uint8> blob;   // KM_BIGNUM and KM_BYTES
};

struct KeyParameter {
  // Discriminates the IntegerKeyParam union field used.
  uint32 tag;
  IntegerKeyParam param;
};

// Defines the attributes of a key, including cryptographic parameters, and
// usage restrictions.
struct KeyCharacteristics {
  array<KeyParameter> software_enforced;
  array<KeyParameter> tee_enforced;
};

////////////////////////////////////////////////////////////////////////////////
// KeymasterServer request and response structs

struct GetKeyCharacteristicsRequest {
  array<uint8> key_blob;
  array<uint8> client_id;
  array<uint8> app_data;
};

struct GetKeyCharacteristicsResult {
  KeyCharacteristics key_characteristics;
  int32 error;
};

struct GenerateKeyResult {
  array<uint8> key_blob;
  KeyCharacteristics key_characteristics;
  int32 error;
};

struct ImportKeyRequest {
  array<KeyParameter> key_description;
  KeyFormat key_format;
  array<uint8> key_data;
};

struct ImportKeyResult {
  array<uint8> key_blob;
  KeyCharacteristics key_characteristics;
  int32 error;
};

struct ExportKeyRequest {
  KeyFormat key_format;
  array<uint8> key_blob;
  array<uint8> client_id;
  array<uint8> app_data;
};

struct ExportKeyResult {
  array<uint8> key_material;
  int32 error;
};

struct AttestKeyRequest {
  array<uint8> key_to_attest;
  array<KeyParameter> attest_params;
};

struct AttestKeyResult {
  array<array<uint8>> cert_chain;
  int32 error;
};

struct UpgradeKeyRequest {
  array<uint8> key_blob_to_upgrade;
  array<KeyParameter> upgrade_params;
};

struct UpgradeKeyResult {
  array<uint8> upgraded_key_blob;
  int32 error;
};

struct BeginRequest {
  KeyPurpose purpose;
  array<uint8> key;
  array<KeyParameter> in_params;
};

struct BeginResult {
  array<KeyParameter> out_params;
  uint64 op_handle;
  int32 error;
};

struct UpdateRequest {
  uint64 op_handle;
  array<KeyParameter> in_params;
  array<uint8> input;
};

struct UpdateResult {
  uint32 input_consumed;
  array<KeyParameter> out_params;
  array<uint8> output;
  int32 error;
};

struct FinishRequest {
  uint64 op_handle;
  array<KeyParameter> in_params;
  array<uint8> input;
  array<uint8> signature;
};

struct FinishResult {
  array<KeyParameter> out_params;
  array<uint8> output;
  int32 error;
};