Merge remote-tracking branch 'goog/upstream-master' into josephjang-nos-merge-upstream am: be4523fff7

Original change: https://googleplex-android-review.googlesource.com/c/platform/external/nos/host/generic/+/11874040

Change-Id: I4d692a1219be9ff280025c28f19846b2441ed15e

9 files changed, 711 insertions, 4 deletions

diff --git a/nugget/include/application.h b/nugget/include/application.h
index 9415811..ef70754 100644
--- a/nugget/include/application.h
+++ b/nugget/include/application.h
@@ -72,6 +72,7 @@ typedef const void * const __private;
 #define APP_ID_KEYMASTER         0x02
 #define APP_ID_WEAVER            0x03
 #define APP_ID_PROTOBUF          0x04
+#define APP_ID_IDENTITY          0x05
 
 /* Fake apps used only for testing */
 #define APP_ID_AVB_TEST          0x11
diff --git a/nugget/include/citadel_events.h b/nugget/include/citadel_events.h
index 280c7ff..02653b0 100644
--- a/nugget/include/citadel_events.h
+++ b/nugget/include/citadel_events.h
@@ -63,6 +63,7 @@ enum event_id {
   EVENT_ALERT = 1,     // Globalsec alert fired.
   EVENT_REBOOTED = 2,  // Device rebooted.
   EVENT_UPGRADED = 3,  // Device has upgraded.
+  EVENT_ALERT_V2 = 4,  // Globalsec Alertv2 fired
 };
 
 /* Please do not change the size of this struct */
@@ -84,10 +85,12 @@ struct event_record {
       uint32_t which1;
     } rebooted;
     struct {
-      uint32_t int_grp_bf;
-      uint32_t int_cause_bf;
-      uint32_t dlyctr_bf;
-    } d_globalsec;
+      uint32_t alert_grp[4];
+      uint16_t camo_breaches[2];
+      uint16_t temp_min;
+      uint16_t temp_max;
+      uint32_t bus_err;
+    } alert_v2;
 
     /* uninterpreted */
     union {
diff --git a/nugget/proto/BUILD b/nugget/proto/BUILD
index d065ed2..0b7219f 100644
--- a/nugget/proto/BUILD
+++ b/nugget/proto/BUILD
@@ -43,6 +43,14 @@ cc_proto_library(
 )
 
 cc_proto_library(
+    name = "nugget_app_identity_identity_cc_proto",
+    visibility = ["//visibility:public"],
+    deps = [
+        "nugget_app_identity_identity_proto",
+    ],
+)
+
+cc_proto_library(
     name = "nugget_app_avb_avb_cc_proto",
     visibility = ["//visibility:public"],
     deps = [
@@ -101,6 +109,25 @@ cc_library(
 )
 
 cc_library(
+    name = "identity_client_proto",
+    srcs = [
+        "nugget/app/identity/Identity.client.cpp",
+    ],
+    hdrs = [
+        "nugget/app/identity/Identity.client.h",
+    ],
+    includes = [
+        "./nugget/app/identity/",
+    ],
+    visibility = ["//visibility:public"],
+    deps = [
+        "nugget_app_identity_identity_cc_proto",
+        "nugget_protobuf_options_cc_proto",
+        "//host/generic/libnos",
+    ],
+)
+
+cc_library(
     name = "avb_client_proto",
     srcs = [
         "nugget/app/avb/Avb.client.cpp",
@@ -204,6 +231,48 @@ genrule(
 )
 
 genrule(
+    name = "identity_proto_client_cc_genrule",
+    srcs = [
+        "nugget/app/identity/identity.proto",
+        "nugget/app/identity/identity_defs.proto",
+        "nugget/app/identity/identity_types.proto",
+        "nugget/protobuf/options.proto",
+        "google/protobuf/descriptor.proto",
+    ],
+    outs = [
+        "nugget/app/identity/Identity.client.cpp",
+    ],
+    cmd = GEN_SERVICE + " --proto_path=" + PROTO_ROOT +
+          " --nos-client-cpp_out=source:$$(dirname $(location nugget/app/identity/Identity.client.cpp)) " +
+          "$(location nugget/app/identity/identity.proto)",
+    tools = [
+        "@com_google_protobuf//:protoc",
+        "//host/generic/libnos/generator:protoc_gen_nos_client_cpp",
+    ],
+)
+
+genrule(
+    name = "identity_proto_client_h_genrule",
+    srcs = [
+        "nugget/app/identity/identity.proto",
+        "nugget/app/identity/identity_defs.proto",
+        "nugget/app/identity/identity_types.proto",
+        "nugget/protobuf/options.proto",
+        "google/protobuf/descriptor.proto",
+    ],
+    outs = [
+        "nugget/app/identity/Identity.client.h",
+    ],
+    cmd = GEN_SERVICE + " --proto_path=" + PROTO_ROOT +
+          " --nos-client-cpp_out=header:$$(dirname $(location nugget/app/identity/Identity.client.h)) " +
+          "$(location nugget/app/identity/identity.proto)",
+    tools = [
+        "@com_google_protobuf//:protoc",
+        "//host/generic/libnos/generator:protoc_gen_nos_client_cpp",
+    ],
+)
+
+genrule(
     name = "keymaster_proto_client_cc_genrule",
     srcs = [
         "nugget/app/keymaster/keymaster.proto",
@@ -344,6 +413,19 @@ proto_library(
 )
 
 proto_library(
+    name = "nugget_app_identity_identity_proto",
+    srcs = [
+        "nugget/app/identity/identity.proto",
+        "nugget/app/identity/identity_defs.proto",
+        "nugget/app/identity/identity_types.proto",
+    ],
+    strip_import_prefix = PROTO_SOURCE_ROOT,
+    deps = [
+        "nugget_protobuf_options_proto",
+    ],
+)
+
+proto_library(
     name = "nugget_protobuf_options_proto",
     srcs = [
         "nugget/protobuf/options.proto",
diff --git a/nugget/proto/nugget/app/identity/Android.bp b/nugget/proto/nugget/app/identity/Android.bp
new file mode 100644
index 0000000..d05f639
--- /dev/null
+++ b/nugget/proto/nugget/app/identity/Android.bp
@@ -0,0 +1,47 @@
+//
+// Copyright (C) 2019 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+genrule {
+    name: "nos_app_identity_service_genc++",
+    out: ["Identity.client.cpp"],
+    srcs: ["identity.proto"],
+    tools: ["aprotoc", "protoc-gen-nos-client-cpp"],
+    cmd: GEN_SERVICE_SOURCE,
+}
+
+genrule {
+    name: "nos_app_identity_service_genc++_headers",
+    out: ["Identity.client.h"],
+    srcs: ["identity.proto"],
+    tools: ["aprotoc", "protoc-gen-nos-client-cpp"],
+    cmd: GEN_SERVICE_HEADER,
+}
+
+genrule {
+    name: "nos_app_identity_service_genc++_mock",
+    out: ["MockIdentity.client.h"],
+    srcs: ["identity.proto"],
+    tools: ["aprotoc", "protoc-gen-nos-client-cpp"],
+    cmd: GEN_SERVICE_MOCK,
+}
+
+cc_library {
+    name: "nos_app_identity",
+    generated_sources: ["nos_app_identity_service_genc++"],
+    generated_headers: ["nos_app_identity_service_genc++_headers"],
+    defaults: ["nos_app_service_defaults"],
+    export_generated_headers: ["nos_app_identity_service_genc++_headers"],
+}
diff --git a/nugget/proto/nugget/app/identity/identity.proto b/nugget/proto/nugget/app/identity/identity.proto
new file mode 100644
index 0000000..9d0a529
--- /dev/null
+++ b/nugget/proto/nugget/app/identity/identity.proto
@@ -0,0 +1,303 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package nugget.app.identity;
+
+import "nugget/app/identity/identity_defs.proto";
+import "nugget/app/identity/identity_types.proto";
+import "nugget/protobuf/options.proto";
+
+// Identity is the app used to implement Android's Identity HAL.
+//
+// The documentation for the HAL applies to this implementation.
+service Identity {
+  option (nugget.protobuf.app_id) = "IDENTITY";
+  option (nugget.protobuf.app_name) = "Identity";
+  option (nugget.protobuf.app_version) = 1;
+  option (nugget.protobuf.request_buffer_size) = 1024;
+  option (nugget.protobuf.response_buffer_size) = 1024;
+
+  // RPCs for the Identity HAL
+  rpc WICinitialize (WICinitializeRequest) returns (WICinitializeResponse);
+  rpc WICcreateCredentialKey (WICcreateCredentialKeyRequest) returns (WICcreateCredentialKeyResponse);
+  rpc WICstartPersonalization (WICstartPersonalizationRequest) returns (WICstartPersonalizationResponse);
+  rpc WICaddAccessControlProfile (WICaddAccessControlProfileRequest) returns (WICaddAccessControlProfileResponse);
+  rpc WICbeginAddEntry (WICbeginAddEntryRequest) returns (WICbeginAddEntryResponse);
+  rpc WICaddEntryValue (WICaddEntryValueRequest) returns (WICaddEntryValueResponse);
+  rpc WICfinishAddingEntries (WICfinishAddingEntriesRequest) returns (WICfinishAddingEntriesResponse);
+  rpc ICinitialize (ICinitializeRequest) returns (ICinitializeResponse);
+  rpc ICcreateEphemeralKeyPair (ICcreateEphemeralKeyPairRequest) returns (ICcreateEphemeralKeyPairResponse);
+  rpc ICgenerateSigningKeyPair (ICgenerateSigningKeyPairRequest) returns (ICgenerateSigningKeyPairResponse);
+  rpc ICcreateAuthChallenge (ICcreateAuthChallengeRequest) returns (ICcreateAuthChallengeResponse);
+  rpc ICstartRetrieveEntries (ICstartRetrieveEntriesRequest) returns (ICstartRetrieveEntriesResponse);
+  rpc ICsetAuthToken (ICsetAuthTokenRequest) returns (ICsetAuthTokenResponse);
+  rpc ICpushReaderCert (ICpushReaderCertRequest) returns (ICpushReaderCertResponse);
+  rpc ICvalidateAccessControlProfile (ICvalidateAccessControlProfileRequest) returns (ICvalidateAccessControlProfileResponse);
+  rpc ICvalidateRequestMessage (ICvalidateRequestMessageRequest) returns (ICvalidateRequestMessageResponse);
+  rpc ICcalcMacKey (ICcalcMacKeyRequest) returns (ICcalcMacKeyResponse);
+  rpc ICstartRetrieveEntryValue (ICstartRetrieveEntryValueRequest) returns (ICstartRetrieveEntryValueResponse);
+  rpc ICretrieveEntryValue (ICretrieveEntryValueRequest) returns (ICretrieveEntryValueResponse);
+  rpc ICfinishRetrieval (ICfinishRetrievalRequest) returns (ICfinishRetrievalResponse);
+  rpc ICdeleteCredential (ICdeleteCredentialRequest) returns (ICdeleteCredentialResponse);
+}
+
+// WICinitialize
+message WICinitializeRequest{
+  bool testCredential = 1;
+}
+message WICinitializeResponse{
+  Result result = 1;
+}
+
+// WICcreateCredentialKey
+message WICcreateCredentialKeyRequest{
+}
+
+message WICcreateCredentialKeyResponse{
+  Result result = 1;
+  bytes publickey = 2;
+}
+
+// WICstartPersonalization
+message WICstartPersonalizationRequest{
+  uint32 accessControlProfileCount = 1;
+  bytes entryCounts = 2;
+  bytes docType = 3;
+  uint32 expectedProofOfProvisioningSize = 4;
+}
+message WICstartPersonalizationResponse{
+  Result result = 1;
+}
+
+// WICaddAccessControlProfile
+message WICaddAccessControlProfileRequest{
+  uint32 id = 1;
+  bytes readerCertificate = 2;
+  bool userAuthenticationRequired = 3;
+  uint64 timeoutMillis = 4;
+  uint64 secureUserId = 5;
+}
+message WICaddAccessControlProfileResponse{
+  Result result = 1;
+  bytes mac = 2;
+}
+
+// WICbeginAddEntry
+message WICbeginAddEntryRequest{
+  bytes accessControlProfileIds = 1;
+  string nameSpace = 2;
+  string name = 3;
+  uint64 entrySize = 4;
+}
+message WICbeginAddEntryResponse{
+  Result result = 1;
+}
+
+// WICaddEntryValue
+message WICaddEntryValueRequest{
+  bytes accessControlProfileIds = 1;
+  string nameSpace = 2;
+  string name = 3;
+  bytes content = 4;
+}
+message WICaddEntryValueResponse{
+  Result result = 1;
+  bytes encrypted_content = 2;
+}
+
+// WICfinishAddingEntries
+message WICfinishAddingEntriesRequest{
+  bytes docType = 1;
+  bool testCredential = 2;
+}
+
+message WICfinishAddingEntriesResponse{
+  Result result = 1;
+  bytes signatureOfToBeSigned = 2;
+  bytes credentialData = 3;
+}
+
+// ICinitialize
+message ICinitializeRequest{
+  bool testCredential = 1;
+  bytes docType = 2;
+  bytes encryptedCredentialKeys = 3;
+}
+
+message ICinitializeResponse{
+  Result result = 1;
+}
+
+// ICcreateEphemeralKeyPair
+message ICcreateEphemeralKeyPairRequest{
+}
+
+message ICcreateEphemeralKeyPairResponse{
+  Result result = 1;
+  bytes ephemeralPriv = 2;
+}
+
+// ICgenerateSigningKeyPair
+message ICgenerateSigningKeyPairRequest{
+  bytes docType = 1;
+}
+
+message ICgenerateSigningKeyPairResponse{
+  Result result = 1;
+  bytes SigningKeyBlob =2;
+  bytes signingPubKey =3;
+}
+
+// ICcreateAuthChallenge
+message ICcreateAuthChallengeRequest{
+}
+
+message ICcreateAuthChallengeResponse{
+  Result result = 1;
+  uint64 challenge = 2;
+}
+
+// ICstartRetrieveEntries
+message ICstartRetrieveEntriesRequest{
+}
+
+message ICstartRetrieveEntriesResponse{
+  Result result = 1;
+}
+
+// ICsetAuthToken
+message ICsetAuthTokenRequest{
+  uint64 challenge = 1;
+  uint64 secureUserId = 2;
+  uint64 authenticatorId = 3;
+  uint32 hardwareAuthenticatorType = 4;
+  uint64 timeStamp = 5;
+  bytes mac = 6;
+  uint64 verificationTokenTimestamp =7;
+  bytes verificationTokenMac = 8;
+}
+
+message ICsetAuthTokenResponse{
+  Result result = 1;
+}
+
+// ICpushReaderCert
+message ICpushReaderCertRequest{
+  bytes x509Cert = 1;
+  uint32 tbsCertificateOffset = 2;
+  uint32 tbsCertificateSize = 3;
+  uint32 signatureOffset = 4;
+  uint32 signatureSize = 5;
+  uint32 publicKeyOffset = 6;
+  uint32 publicKeySize = 7;
+  uint32 signAlg = 8;
+}
+
+message ICpushReaderCertResponse{
+  Result result = 1;
+}
+
+// ICvalidateAccessControlProfile
+message ICvalidateAccessControlProfileRequest{
+  uint32 id = 1;
+  bytes readerCertificate = 2;
+  bool userAuthenticationRequired = 3;
+  uint32 timeoutMillis = 4;
+  uint64 secureUserId = 5;
+  bytes mac = 6;
+  uint32 publicKeyOffset = 7;
+  uint32 publicKeysize = 8;
+}
+
+message ICvalidateAccessControlProfileResponse{
+  Result result = 1;
+  bool accessGranted = 2;
+}
+
+// ICvalidateRequestMessage
+message ICvalidateRequestMessageRequest{
+  bytes sessionTranscript = 1;
+  bytes requestMessage = 2;
+  uint32 coseSignAlg = 3;
+  bytes readerSignatureOfToBeSigned = 4;
+}
+
+message ICvalidateRequestMessageResponse{
+  Result result = 1;
+}
+
+// ICcalcMacKey
+message ICcalcMacKeyRequest{
+  bytes sessionTranscript = 1;
+  bytes readerEphemeralPublicKey = 2;
+  bytes signingKeyBlob = 3;
+  bytes docType = 4;
+  uint32 numNamespacesWithValues = 5;
+  uint32 expectedProofOfProvisioningSize = 6;
+}
+
+message ICcalcMacKeyResponse{
+  Result result = 1;
+}
+
+// ICstartRetrieveEntryValue
+message ICstartRetrieveEntryValueRequest{
+  string nameSpace = 1;
+  string name = 2;
+  uint32 newNamespaceNumEntries = 3;
+  uint32 entrySize = 4;
+  bytes accessControlProfileIds = 5;
+}
+
+message ICstartRetrieveEntryValueResponse{
+  AccessResult accessCheckResult = 1;
+}
+
+// ICretrieveEntryValue
+message ICretrieveEntryValueRequest{
+  bytes encryptedContent = 1;
+  string nameSpace = 2;
+  string name = 3;
+  bytes accessControlProfileIds = 4;
+}
+
+message ICretrieveEntryValueResponse{
+  Result result = 1;
+  bytes content = 2;
+}
+
+// ICfinishRetrieval
+message ICfinishRetrievalRequest{
+}
+
+message ICfinishRetrievalResponse{
+  Result result = 1;
+  bytes mac = 2;
+}
+
+// ICdeleteCredential
+message ICdeleteCredentialRequest{
+  bytes docType = 1;
+  bool testCredential = 2;
+  uint32 proofOfDeletionCborSize =3;
+}
+
+message ICdeleteCredentialResponse{
+  Result result = 1;
+  bytes signatureOfToBeSigned = 2;
+}
\ No newline at end of file
diff --git a/nugget/proto/nugget/app/identity/identity_defs.proto b/nugget/proto/nugget/app/identity/identity_defs.proto
new file mode 100644
index 0000000..f372ad3
--- /dev/null
+++ b/nugget/proto/nugget/app/identity/identity_defs.proto
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package nugget.app.identity;
+
+/**
+ * The ResultCode enumeration is used to convey the status of an operation.
+ */
+enum ResultCode {
+  STATUS_OK = 0;
+  STATUS_FAILED = 1;
+  STATUS_CIPHER_SUITE_NOT_SUPPORTED = 2;
+  STATUS_INVALID_DATA = 3;
+  STATUS_INVALID_AUTH_TOKEN = 4;
+  STATUS_INVALID_ITEMS_REQUEST_MESSAGE = 5;
+  STATUS_READER_SIGNATURE_CHECK_FAILED = 6;
+  STATUS_EPHEMERAL_PUBLIC_KEY_NOT_FOUND = 7;
+  STATUS_USER_AUTHENTICATION_FAILED = 8;
+  STATUS_READER_AUTHENTICATION_FAILED = 9;
+  STATUS_NO_ACCESS_CONTROL_PROFILES = 10;
+  STATUS_NOT_IN_REQUEST_MESSAGE = 11;
+  STATUS_SESSION_TRANSCRIPT_MISMATCH = 12;
+};
+
+enum EicAccessCheckResult {
+  EIC_ACCESS_CHECK_RESULT_OK = 0;
+  EIC_ACCESS_CHECK_RESULT_FAILED = 1;
+  EIC_ACCESS_CHECK_RESULT_NO_ACCESS_CONTROL_PROFILES = 2;
+  EIC_ACCESS_CHECK_RESULT_USER_AUTHENTICATION_FAILED = 3;
+  EIC_ACCESS_CHECK_RESULT_READER_AUTHENTICATION_FAILED = 4;
+};
\ No newline at end of file
diff --git a/nugget/proto/nugget/app/identity/identity_types.proto b/nugget/proto/nugget/app/identity/identity_types.proto
new file mode 100644
index 0000000..4c50f2c
--- /dev/null
+++ b/nugget/proto/nugget/app/identity/identity_types.proto
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package nugget.app.identity;
+
+import "nugget/protobuf/options.proto";
+import "nugget/app/identity/identity_defs.proto";
+
+message Result {
+  ResultCode result_code = 1;
+  string message = 2;
+}
+
+message AccessResult {
+  EicAccessCheckResult access_result = 1;
+  string message = 2;
+}
\ No newline at end of file
diff --git a/nugget/proto/nugget/app/keymaster/keymaster.proto b/nugget/proto/nugget/app/keymaster/keymaster.proto
index a5108c0..e508c8e 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster.proto
@@ -125,6 +125,8 @@ service Keymaster {
    * More vendor specific methods.
    */
   rpc ReadCertificate(ReadCertificateRequest) returns (ReadCertificateResponse);
+  rpc IdentityStartAttestKey (IdentityStartAttestKeyRequest) returns (IdentityStartAttestKeyResponse);
+  rpc IdentityFinishAttestKey (IdentityFinishAttestKeyRequest) returns (IdentityFinishAttestKeyResponse);
 
   /*
    * Resume-on-Reboot implementation.
@@ -529,3 +531,31 @@ message VigoReleaseSecretResponse {
   ErrorCode error_code = 1;
   VigoSecret secret_encrypted = 2;
 }
+
+// IdentityStartAttestKey
+message IdentityStartAttestKeyRequest {
+  bytes pubkey = 1;
+  KeyParameters params = 2;
+  uint32 attestation_app_id_len = 3;
+  AttestationSelector selector = 4;
+  bytes not_before = 5;      // strftime('%y%m%d%H%M%SZ') [13 octects]
+  bytes not_after = 6;       // strftime('%y%m%d%H%M%SZ') [13 octects]
+  uint64 creation_time_ms = 7;      // Rough current time (ms since epoch).
+}
+message IdentityStartAttestKeyResponse {
+  ErrorCode error_code = 1;
+  OperationHandle handle = 2;
+  bytes certificate_prologue = 3;
+}
+
+// IdentityFinishAttestKeyRequest
+message IdentityFinishAttestKeyRequest {
+  OperationHandle handle = 1;
+  bool use_km_attest_key = 2;
+}
+message IdentityFinishAttestKeyResponse {
+  ErrorCode error_code = 1;
+  bytes certificate_epilogue = 2;
+  ChipFusing chip_fusing = 3;
+  bool nodelocked_ro = 4;
+}
diff --git a/nugget/proto/nugget/app/protoapi/testing_api.proto b/nugget/proto/nugget/app/protoapi/testing_api.proto
index 7373da5..e88fb37 100644
--- a/nugget/proto/nugget/app/protoapi/testing_api.proto
+++ b/nugget/proto/nugget/app/protoapi/testing_api.proto
@@ -16,6 +16,7 @@ enum DcryptError {
   MISSING_PARAMETER = 3;
   KEYSIZE_MISMATCH = 4;
   INVALID_TEST = 5;
+  KEYGEN_ERROR = 6;
 }
 
 // TODO remove this when oneof support is added to nanopb
@@ -36,6 +37,15 @@ enum OneofTestParametersCase {
   kCavpHmacTest = 13;
   kCavpShaMsgTest = 14;
   kCavpShaMctTest = 15;
+  kCavpRsaKeyGenTest = 16;
+  kCavpRsaSigGenTest = 17;
+  kCavpRsaSigVerTest = 18;
+  kCavpDrbgTest = 19;
+  kCavpCkdfTest = 20;
+  kCavpEcdsaKeyPairTest = 21;
+  kCavpEcdsaPkvTest = 22;
+  kCavpEcdsaSigGenTest = 23;
+  kCavpEcdsaSigVerTest = 24;
 }
 
 // TODO remove this when oneof support is added to nanopb
@@ -50,6 +60,15 @@ enum OneofTestResultsCase {
   kCavpAesGcmTestResult = 7;
   kCavpHmacTestResult = 8;
   kCavpShaTestResult = 9;
+  kCavpRsaKeyGenTestResult = 10;
+  kCavpRsaSigGenTestResult = 11;
+  kCavpRsaSigVerTestResult = 12;
+  kCavpDrbgTestResult = 13;
+  kCavpCkdfTestResult = 14;
+  kCavpEcdsaKeyPairTestResult = 15;
+  kCavpEcdsaPkvTestResult = 16;
+  kCavpEcdsaSigGenTestResult = 17;
+  kCavpEcdsaSigVerTestResult = 18;
 }
 
 message AesCbcEncryptTest {
@@ -156,6 +175,150 @@ message CavpShaTestResult {
   bytes md = 2;
 }
 
+enum CavpRsaMRTable {
+  C_2 = 0;
+  C_3 = 1;
+}
+
+enum CavpRsaPaddingType {
+  INVALID_PADDING = 0;
+  PKCS1 = 1;
+  PSS = 2;
+  OAEP = 3;
+}
+
+message CavpRsaKeyGenTest {
+  uint32 count = 1;
+  uint32 mod = 2;
+  CavpRsaMRTable table = 3;
+}
+
+message CavpRsaSigGenTest {
+  bool gen_n = 1;
+  CavpShaAlgorithm sha_alg = 2;
+  CavpRsaPaddingType padding = 3;
+  bytes msg = 4;
+}
+
+message CavpRsaSigVerTest {
+  uint32 mod = 1;
+  CavpShaAlgorithm sha_alg = 2;
+  CavpRsaPaddingType padding = 3;
+  uint32 e = 4;
+  bytes n = 5;
+  bytes msg = 6;
+  bytes sig = 7;
+}
+
+enum CavpRsaSigVerResult {
+  Pass = 0;
+  Fail_MessageChanged = 1;
+  Fail_General = 2;
+  Fail_SigChanged = 3;
+  Fail_EMHashMovedLeft = 4;
+  Fail_EMModPayload = 5;
+}
+
+message CavpRsaSigVerTestResult {
+  DcryptError result_code = 1;
+  CavpRsaSigVerResult verif_result = 2;
+}
+
+message CavpRsaSigGenTestResult {
+  DcryptError result_code = 1;
+  uint32 e = 2;
+  bytes n = 3;
+  bytes sig = 4;
+}
+
+message CavpRsaKeyGenTestResult {
+  DcryptError result_code = 1;
+  uint32 e = 2;
+  bytes p = 3;
+  bytes q = 4;
+  bytes n = 5;
+  bytes d = 6;
+}
+
+message CavpDrbgTest {
+  bool prediction_resistance = 2;
+  uint32 ret_len = 3;
+  bytes entropy_init = 4;
+  bytes nonce = 5;
+  bytes perso_str = 6;
+  bytes add_input_1 = 7;
+  bytes add_input_2 = 8;
+  bytes entropy_pr_1 = 10;
+  bytes entropy_pr_2 = 11;
+}
+
+message CavpDrbgTestResult {
+  DcryptError result_code = 1;
+  bytes bits = 2;
+}
+
+message CavpCkdfTest {
+  uint32 key_len = 1;
+  bytes key = 2;
+}
+
+message CavpCkdfTestResult {
+  DcryptError result_code = 1;
+  bytes key = 2;
+  bytes fixed_input_data = 3;
+}
+
+enum CavpEcdsaKeyGenTable {
+  B_4_1 = 0;
+  B_4_2 = 1;
+}
+
+message CavpEcdsaKeyPairTest {
+  CavpEcdsaKeyGenTable table = 1;
+}
+
+message CavpEcdsaKeyPairTestResult {
+  DcryptError result_code = 1;
+  bytes d = 2;
+  bytes qx = 3;
+  bytes qy = 4;
+}
+
+message CavpEcdsaPkvTest {
+  bytes qx = 1;
+  bytes qy = 2;
+}
+
+message CavpEcdsaPkvTestResult {
+  DcryptError result_code = 1;
+  bool result = 2;
+}
+
+message CavpEcdsaSigGenTest {
+  bytes msg = 1;
+}
+
+message CavpEcdsaSigGenTestResult {
+  DcryptError result_code = 1;
+  bytes qx = 2;
+  bytes qy = 3;
+  bytes r = 4;
+  bytes sig = 5;
+}
+
+message CavpEcdsaSigVerTest {
+  bytes msg = 1;
+  bytes qx = 2;
+  bytes qy = 3;
+  bytes r = 4;
+  bytes sig = 5;
+}
+
+message CavpEcdsaSigVerTestResult {
+  DcryptError result_code = 1;
+  bool result = 2;
+}
+
 message TrngTest {
   uint32 number_of_bytes = 1;
 }