Snap for 11111096 from 714c84a9225098abc2895d210bd4d56112802416 to 24Q1-releaseandroid-14.0.0_r33 android-14.0.0_r32 android-14.0.0_r31 android-14.0.0_r30 android-14.0.0_r29 android14-qpr2-s3-release android14-qpr2-s2-release android14-qpr2-s1-release android14-qpr2-release

Change-Id: I34e22ce9d3a6e2c879aa4bb379a90ad0ff5a6920
author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-11-17 00:08:35 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-11-17 00:08:35 +0000
commit: 7472783e26c7043abe17bd43d55261fe1db1a490 (patch)
tree: 02c02738ec837576e81b8715ec8abb6552bba8f7
parent: 5ff2431d2c77a8d3ea438b808937390dad6d55d1 (diff)
parent: 714c84a9225098abc2895d210bd4d56112802416 (diff)
download: generic-android14-qpr2-s3-release.tar.gz
7 files changed, 1243 insertions, 1 deletions
diff --git a/nugget/proto/nugget/app/keymaster/ctdl/Android.bp b/nugget/proto/nugget/app/keymaster/ctdl/Android.bp
new file mode 100644
index 0000000..480cceb
--- /dev/null
+++ b/nugget/proto/nugget/app/keymaster/ctdl/Android.bp
@@ -0,0 +1,75 @@
+//
+// Copyright (C) 2017 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package {
+    // See: http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // all of the 'license_kinds' from "external_nos_host_generic_license"
+    // to get the below license kinds:
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["external_nos_host_generic_license"],
+}
+
+// For keymaster 3/4/4.1 @ citadel
+genrule {
+    name: "nos_app_keymaster_service_ctdl_genc++",
+    out: ["Keymaster.client.cpp"],
+    srcs: [
+        "keymaster.proto",
+        "keymaster_defs.proto",
+        "keymaster_types.proto",
+        ":nugget_options_proto",
+        ":libprotobuf-internal-protos",
+    ],
+    tools: ["aprotoc", "protoc-gen-nos-client-cpp"],
+    cmd: GEN_SERVICE_SOURCE,
+}
+
+genrule {
+    name: "nos_app_keymaster_service_ctdl_genc++_headers",
+    out: ["Keymaster.client.h"],
+    srcs: [
+        "keymaster.proto",
+        "keymaster_defs.proto",
+        "keymaster_types.proto",
+        ":nugget_options_proto",
+        ":libprotobuf-internal-protos",
+    ],
+    tools: ["aprotoc", "protoc-gen-nos-client-cpp"],
+    cmd: GEN_SERVICE_HEADER,
+}
+
+genrule {
+    name: "nos_app_keymaster_service_ctdl_genc++_mock",
+    out: ["MockKeymaster.client.h"],
+    srcs: [
+        "keymaster.proto",
+        "keymaster_defs.proto",
+        "keymaster_types.proto",
+        ":nugget_options_proto",
+        ":libprotobuf-internal-protos",
+    ],
+    tools: ["aprotoc", "protoc-gen-nos-client-cpp"],
+    cmd: GEN_SERVICE_MOCK,
+}
+
+cc_library {
+    name: "nos_app_keymaster_ctdl",
+    generated_sources: ["nos_app_keymaster_service_ctdl_genc++"],
+    generated_headers: ["nos_app_keymaster_service_ctdl_genc++_headers"],
+    defaults: ["nos_app_service_defaults"],
+    export_generated_headers: ["nos_app_keymaster_service_ctdl_genc++_headers"],
+}
diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster.options b/nugget/proto/nugget/app/keymaster/ctdl/keymaster.options
new file mode 100644
index 0000000..daec677
--- /dev/null
+++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster.options
@@ -0,0 +1,21 @@
+nugget.app.keymaster.ctdl.ImportWrappedKeyRequest.initialization_vector max_size:12
+nugget.app.keymaster.ctdl.ImportWrappedKeyRequest.gcm_tag max_size:16
+nugget.app.keymaster.ctdl.ImportWrappedKeyRequest.masking_key max_size:32
+nugget.app.keymaster.ctdl.SetRootOfTrustRequest.digest max_size:32
+nugget.app.keymaster.ctdl.SetBootStateRequest.public_key max_size:32
+nugget.app.keymaster.ctdl.SetBootStateRequest.boot_hash max_size:32
+nugget.app.keymaster.ctdl.ComputeSharedHmacRequest.hmac_sharing_params max_count:10
+nugget.app.keymaster.ctdl.ComputeSharedHmacResponse.sharing_check max_size:32
+nugget.app.keymaster.ctdl.DTupHandshakeRequest.nonce_client max_size:32
+nugget.app.keymaster.ctdl.DTupHandshakeResponse.nonce_citadel max_size:32
+nugget.app.keymaster.ctdl.DTupHandshakeResponse.signature max_size:32
+nugget.app.keymaster.ctdl.DTupFetchInputEventResponse.signature max_size:32
+nugget.app.keymaster.ctdl.GetBootInfoResponse.boot_key max_size:32
+nugget.app.keymaster.ctdl.GetBootInfoResponse.boot_hash max_size:32
+nugget.app.keymaster.ctdl.ProvisionPresharedSecretRequest.preshared_secret max_size:32
+nugget.app.keymaster.ctdl.StartAttestKeyRequest.not_before max_size:15
+nugget.app.keymaster.ctdl.StartAttestKeyRequest.not_after max_size:15
+nugget.app.keymaster.ctdl.StartAttestKeyRequest.caller_issuer_subj_name max_size:100
+nugget.app.keymaster.ctdl.ProvisionPresharedSecretResponse.digest max_size:32
+nugget.app.keymaster.ctdl.ProvisionCertificatesRequest.cert_block max_size: 1024
+nugget.app.keymaster.ctdl.ProvisionCertificatesRequest.digest max_size: 32
diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster.proto b/nugget/proto/nugget/app/keymaster/ctdl/keymaster.proto
new file mode 100644
index 0000000..49f18b1
--- /dev/null
+++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster.proto
@@ -0,0 +1,658 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package nugget.app.keymaster.ctdl;
+
+import "nugget/app/keymaster/ctdl/keymaster_defs.proto";
+import "nugget/app/keymaster/ctdl/keymaster_types.proto";
+import "nugget/protobuf/options.proto";
+
+/*
+ * Keymaster service methods.
+ *
+ * TODO: some methods may be implemented in the host side HAL implementation.
+ */
+service Keymaster {
+  option (nugget.protobuf.app_id) = "KEYMASTER";
+  option (nugget.protobuf.app_name) = "Keymaster";
+  option (nugget.protobuf.app_version) = 1;
+  /*
+   * Both request and response buffers are sized such
+   * that a key-blob may be fully contained.
+   *
+   * TODO: revisit this choice in the event that memory
+   * is running out.  Supporting smaller buffers will
+   * require that the keymaster app switch from the
+   * transport API to the datagram API.
+   */
+  option (nugget.protobuf.request_buffer_size) = 3072;
+  option (nugget.protobuf.response_buffer_size) = 2048;
+
+  /*
+   * KM3 methods, from:
+   *     ::android::hardware::keymaster::V3_0::IKeymasterDevice
+   */
+  rpc AddRngEntropy (AddRngEntropyRequest) returns (AddRngEntropyResponse);
+  rpc GenerateKey (GenerateKeyRequest) returns (GenerateKeyResponse);
+  rpc GetKeyCharacteristics (GetKeyCharacteristicsRequest) returns (GetKeyCharacteristicsResponse);
+  rpc ImportKey (ImportKeyRequest) returns (ImportKeyResponse);
+  rpc ExportKey (ExportKeyRequest) returns (ExportKeyResponse);
+  rpc StartAttestKey (StartAttestKeyRequest) returns (StartAttestKeyResponse);
+  rpc UpgradeKey (UpgradeKeyRequest) returns (UpgradeKeyResponse);
+  rpc DeleteKey (DeleteKeyRequest) returns (DeleteKeyResponse);
+  rpc DeleteAllKeys (DeleteAllKeysRequest) returns (DeleteAllKeysResponse);
+  rpc DestroyAttestationIds (DestroyAttestationIdsRequest) returns (DestroyAttestationIdsResponse);
+  rpc BeginOperation (BeginOperationRequest) returns (BeginOperationResponse);
+  rpc UpdateOperation (UpdateOperationRequest) returns (UpdateOperationResponse);
+  rpc FinishOperation (FinishOperationRequest) returns (FinishOperationResponse);
+  rpc AbortOperation (AbortOperationRequest) returns (AbortOperationResponse);
+
+  /*
+   * KM4 methods.
+   */
+  rpc ImportWrappedKey (ImportWrappedKeyRequest) returns (ImportKeyResponse);
+
+  /*
+   * Vendor specific methods (bootloader, manufacturing, status,
+   * factory reset, upgrade).
+   */
+  // Only callable by the Bootloader.
+  rpc SetRootOfTrust (SetRootOfTrustRequest) returns (SetRootOfTrustResponse);
+  // Only callable by the Bootloader.
+  rpc SetBootState (SetBootStateRequest) returns (SetBootStateResponse);
+  // Only callable at the Device Factory.
+  rpc ProvisionDeviceIds (ProvisionDeviceIdsRequest) returns (ProvisionDeviceIdsResponse);
+  // Only callable at the Device Factory.
+  rpc ReadTeeBatchCertificate (ReadTeeBatchCertificateRequest) returns (ReadTeeBatchCertificateResponse);
+
+  /*
+   * More KM4 methods.
+   */
+  rpc GetHmacSharingParameters (GetHmacSharingParametersRequest) returns (GetHmacSharingParametersResponse);
+  rpc ComputeSharedHmac (ComputeSharedHmacRequest) returns (ComputeSharedHmacResponse);
+
+  /*
+   * DTup input session methods.
+   */
+  rpc HandshakeDTup (DTupHandshakeRequest) returns (DTupHandshakeResponse);
+  rpc FetchDTupInputEvent (DTupFetchInputEventRequest) returns (DTupFetchInputEventResponse);
+
+  /*
+   * More vendor specific methods.
+   */
+  // Only callable once per boot.
+  rpc SetSystemVersionInfo (SetSystemVersionInfoRequest) returns (SetSystemVersionInfoResponse);
+  rpc GetBootInfo (GetBootInfoRequest) returns (GetBootInfoResponse);
+
+  /*
+   * Called during provisioning by the CitadelProvision tool.
+   */
+  rpc ProvisionPresharedSecret (ProvisionPresharedSecretRequest) returns (ProvisionPresharedSecretResponse);
+
+  /*
+   * Additional attestation methods.
+   */
+  rpc ContinueAttestKey(ContinueAttestKeyRequest) returns (ContinueAttestKeyResponse);
+  rpc FinishAttestKey(FinishAttestKeyRequest) returns (FinishAttestKeyResponse);
+
+  /*
+   * More vendor specific methods.
+   */
+  rpc ProvisionCertificates(ProvisionCertificatesRequest) returns (ProvisionCertificatesResponse);
+
+  /*
+   * KM4.1 methods.
+   */
+  rpc DeviceLocked(DeviceLockedRequest) returns (DeviceLockedResponse);
+  rpc EarlyBootEnded(EarlyBootEndedRequest) returns (EarlyBootEndedResponse);
+
+  /*
+   * More vendor specific methods.
+   */
+  rpc ReadCertificate(ReadCertificateRequest) returns (ReadCertificateResponse);
+  rpc IdentityStartAttestKey (IdentityStartAttestKeyRequest) returns (IdentityStartAttestKeyResponse);
+  rpc IdentityFinishAttestKey (IdentityFinishAttestKeyRequest) returns (IdentityFinishAttestKeyResponse);
+
+  /*
+   * Resume-on-Reboot implementation.
+   */
+  rpc VigoReadVS(VigoReadVSRequest) returns (VigoReadVSResponse);
+  rpc VigoStartChannel(VigoStartChannelRequest)
+      returns (VigoStartChannelResponse);
+  rpc VigoStoreSecret(VigoStoreSecretRequest) returns (VigoStoreSecretResponse);
+  rpc VigoReleaseSecret(VigoReleaseSecretRequest)
+      returns (VigoReleaseSecretResponse);
+
+  /*
+   * pKVM implementation
+   */
+  rpc GetPerFactoryResetValue(GetPerFactoryResetValueRequest) returns (GetPerFactoryResetValueResponse);
+
+  /*
+   * RKP implementation
+   */
+  rpc GenerateRkpKey(GenerateRkpKeyRequest) returns (GenerateRkpKeyResponse);
+  rpc GenerateRkpCsr(GenerateRkpCsrRequest) returns (GenerateRkpCsrResponse);
+
+  /*
+   * Vendor specific method. To export IMEI/DSU to trusty only
+   */
+  rpc ExportDeviceIds(ExportDeviceIdsRequest) returns (ExportDeviceIdsResponse);
+
+  /*
+   * RKP v3 implementation
+   */
+  rpc GenerateRkpCsrV2(GenerateRkpCsrV2Request) returns (GenerateRkpCsrV2Response);
+  // These are implemented with a enum, so new RPCs must be appended, and
+  // deprecated RPCs need placeholders.
+}
+
+/*
+ *  KM3 messages.
+ */
+
+// AddEntropy
+message AddRngEntropyRequest {
+  bytes data = 1;
+}
+message AddRngEntropyResponse {
+  ErrorCode error_code = 1;
+}
+
+// GenerateKey
+message GenerateKeyRequest {
+  KeyParameters params = 1;
+  uint64 creation_time_ms = 2;  // Rough current time (ms since epoch).
+}
+message GenerateKeyResponse {
+  ErrorCode error_code = 1;
+  KeyBlob blob = 2;
+  KeyCharacteristics characteristics = 3;
+}
+
+// GetKeyCharacteristics
+message GetKeyCharacteristicsRequest {
+  KeyBlob blob = 1;
+  bytes client_id = 2;
+  bytes app_data = 3;
+}
+message GetKeyCharacteristicsResponse {
+  ErrorCode error_code = 1;
+  KeyCharacteristics characteristics = 2;
+}
+
+// ImportKey
+message ImportKeyRequest {
+  KeyParameters params = 1;
+  RSAKey rsa = 2;
+  ECKey ec = 3;
+  SymmetricKey symmetric_key = 4;
+  uint64 creation_time_ms = 5;     // Rough current time (ms since epoch).
+};
+message ImportKeyResponse {
+  ErrorCode error_code = 1;
+  KeyBlob blob = 2;
+  KeyCharacteristics characteristics = 3;
+};
+
+// ExportKey
+message ExportKeyRequest {
+  KeyFormat format = 1;
+  KeyBlob blob = 2;
+  bytes client_id = 3;
+  bytes app_data = 4;
+};
+message ExportKeyResponse {
+  ErrorCode error_code = 1;
+  Algorithm algorithm = 2;
+  RSAKey rsa = 3;
+  ECKey ec = 4;
+};
+
+// StartAttestKey
+message StartAttestKeyRequest {
+  KeyBlob blob = 1;
+  KeyParameters params = 2;
+  uint32 attestation_app_id_len = 3;
+  AttestationSelector selector = 4;
+  bytes not_before = 5;      // strftime('%Y%m%d%H%M%SZ') [15 octects]
+  bytes not_after = 6;       // strftime('%Y%m%d%H%M%SZ') [15 octects]
+  bytes caller_issuer_subj_name = 7;
+  KeyParameters caller_key_params = 8;
+}
+message StartAttestKeyResponse {
+  ErrorCode error_code = 1;
+  OperationHandle handle = 2;
+  bytes certificate_prologue = 3;
+}
+
+// ContinueAttestKeyRequest
+message ContinueAttestKeyRequest {
+  OperationHandle handle = 1;
+  //  bytes attestation_app_id = 2;    // Unused, contained within params
+  KeyParameters params = 3;
+}
+message  ContinueAttestKeyResponse {
+  ErrorCode error_code = 1;
+  bytes certificate_body = 2;
+}
+
+// FinishAttestKeyRequest
+message FinishAttestKeyRequest {
+  OperationHandle handle = 1;
+  KeyBlob caller_blob = 2;
+  KeyParameters caller_key_params = 3;
+}
+message  FinishAttestKeyResponse {
+  ErrorCode error_code = 1;
+  bytes certificate_epilogue = 2;
+  ChipFusing chip_fusing = 3;
+  bool nodelocked_ro = 4;
+}
+
+// UpgradeKey
+message UpgradeKeyRequest {
+  KeyBlob blob = 1;
+  KeyParameters params = 2;
+}
+message UpgradeKeyResponse {
+  ErrorCode error_code = 1;
+  KeyBlob blob = 2;
+}
+
+// DeleteKey
+message DeleteKeyRequest {
+  KeyBlob blob = 1;
+}
+message DeleteKeyResponse {
+  ErrorCode error_code = 1;
+}
+
+// DeleteAllKeys
+message DeleteAllKeysRequest {}
+message DeleteAllKeysResponse {
+  ErrorCode error_code = 1;
+}
+
+// DestroyAttestationIds
+message DestroyAttestationIdsRequest {}
+message DestroyAttestationIdsResponse {
+  ErrorCode error_code = 1;
+}
+
+// BeginOperation
+message BeginOperationRequest {
+  KeyPurpose purpose = 1;
+  KeyBlob blob = 2;
+  KeyParameters params = 3;
+  HardwareAuthToken auth_token = 4;
+}
+message BeginOperationResponse {
+  ErrorCode error_code = 1;
+  KeyParameters params = 2;
+  OperationHandle handle = 3;
+  Algorithm algorithm = 4;
+  uint32 key_bits = 5;
+}
+
+// UpdateOperation
+message UpdateOperationRequest {
+  OperationHandle handle = 1;
+  KeyParameters params = 2;
+  bytes input = 3;
+  HardwareAuthToken auth_token = 4;
+  VerificationToken verification_token = 5;
+}
+message UpdateOperationResponse {
+  ErrorCode error_code = 1;
+  uint32 consumed = 2;
+  KeyParameters params = 3;
+  bytes output = 4;
+}
+
+// FinishOperation
+message FinishOperationRequest {
+  OperationHandle handle = 1;
+  KeyParameters params = 2;
+  bytes input = 3;
+  bytes signature = 4;
+  HardwareAuthToken auth_token = 5;
+  VerificationToken verification_token = 6;
+};
+message FinishOperationResponse {
+  ErrorCode error_code = 1;
+  KeyParameters params = 2;
+  bytes output = 3;
+};
+
+// AbortOperation
+message AbortOperationRequest {
+  OperationHandle handle = 1;
+};
+message AbortOperationResponse {
+  ErrorCode error_code = 1;
+};
+
+/*
+ * KM4 messages.
+ */
+
+// ImportWrappedKey
+message ImportWrappedKeyRequest {
+  uint32 key_format = 1;
+  KeyParameters params = 2;
+  bytes rsa_envelope = 3;
+  bytes initialization_vector = 4;   // Fixed sized array.
+  bytes encrypted_import_key = 5;
+  bytes aad = 6;
+  bytes gcm_tag = 7;                 // Fixed sized array.
+  KeyBlob wrapping_key_blob = 8;
+  bytes masking_key = 9;             // Fixed sized array.
+  uint64 creation_time_ms = 10;      // Rough current time (ms since epoch).
+}
+// ImportWrappedKey returns a ImportKeyResponse.
+
+// GetHmacSharingParametersRequest
+message GetHmacSharingParametersRequest {
+}
+message GetHmacSharingParametersResponse {
+  ErrorCode error_code = 1;
+  HmacSharingParameters hmac_sharing_params = 2;
+}
+
+// ComputeSharedHmacRequest
+message ComputeSharedHmacRequest {
+  repeated HmacSharingParameters hmac_sharing_params = 1;
+}
+message ComputeSharedHmacResponse {
+  ErrorCode error_code = 1;
+  bytes sharing_check = 2;
+}
+
+// DeviceLockedRequest
+message DeviceLockedRequest {
+  bool password_only = 1;
+  VerificationToken verification_token = 2;
+}
+message DeviceLockedResponse {
+  ErrorCode error_code = 1;
+}
+
+// DeviceLockedRequest
+message EarlyBootEndedRequest {}
+message EarlyBootEndedResponse {
+  ErrorCode error_code = 1;
+}
+
+/*
+ * Vendor HAL.
+ */
+
+// SetRootOfTrustRequest
+// Only callable by the Bootloader.
+message SetRootOfTrustRequest {
+  bytes digest = 1;                  // This is a SHA256 digest.
+}
+message SetRootOfTrustResponse {
+  // Specified in keymaster_defs.proto:ErrorCode
+  ErrorCode error_code = 1;
+}
+
+// SetBootStateRequest
+// Only callable by the Bootloader.
+message SetBootStateRequest {
+  bool is_unlocked = 1;
+  bytes public_key = 2;              // This is a SHA256 digest.
+  BootColor color = 3;
+  uint32 system_version = 4;         // Deprecated.
+  uint32 system_security_level = 5;  // Patch level of the boot partition.
+  bytes boot_hash = 6;               // This is a SHA256 digest.
+  uint32 boot_security_level = 7;
+}
+message SetBootStateResponse {
+  // Specified in keymaster_defs.proto:ErrorCode
+  ErrorCode error_code = 1;
+}
+
+// ProvisionDeviceIds
+// Only callable at the Device Factory
+message ProvisionDeviceIdsRequest {
+  bytes product_brand = 1;
+  bytes product_device = 2;
+  bytes product_name = 3;
+  bytes serialno = 4;
+  bytes product_manufacturer = 5;
+  bytes product_model = 6;
+  bytes imei = 7;
+  bytes meid = 8;
+  bytes imei2 = 9;
+}
+message ProvisionDeviceIdsResponse {
+  // Specified in keymaster_defs.proto:ErrorCode
+  ErrorCode error_code = 1;
+  ChipFusing chip_fusing = 2;
+  bool nodelocked_ro = 3;
+}
+
+message ExportDeviceIdsRequest {
+  bytes challenge = 1;
+  bytes challenge_hmac = 2;
+}
+
+message ExportDeviceIdsResponse {
+  ErrorCode error_code = 1;
+  bytes product_brand = 2;
+  bytes product_device = 3;
+  bytes product_name = 4;
+  bytes serialno = 5;
+  bytes product_manufacturer = 6;
+  bytes product_model = 7;
+  bytes imei = 8;
+  bytes meid = 9;
+  bytes ids_hmac = 10;
+}
+
+// ReadTeeBatchCertificate
+// Only callable at the Device Factory
+message ReadTeeBatchCertificateRequest {
+  Algorithm algorithm = 1;
+}
+message ReadTeeBatchCertificateResponse {
+  ErrorCode error_code = 1;
+  RSAKey rsa = 2;   // rsa or ec set based on request algorithm selector.
+  ECKey ec = 3;
+  bytes batch_cert = 4;
+}
+
+message DTupHandshakeRequest {
+  bytes nonce_client = 1;
+}
+
+message DTupHandshakeResponse {
+  DTupError error_code = 1;
+  bytes nonce_citadel = 2;
+  bytes signature = 3;
+}
+
+message DTupFetchInputEventRequest {}
+
+message DTupFetchInputEventResponse {
+  DTupError error_code = 1;
+  DTupKeyEvent event = 2;
+  bytes signature = 3;
+}
+
+message SetSystemVersionInfoRequest {
+  uint32 system_version = 1;  // getprop "ro.build.version.release"
+  uint32 system_security_level = 2; // getprop "ro.build.version.security_patch"
+  uint32 vendor_security_level = 3; // getprop "ro.vendor.build.security_patch"
+  uint32 vendor_api_level = 4;
+}
+
+message SetSystemVersionInfoResponse {
+  // Specified in keymaster_defs.proto:ErrorCode
+  ErrorCode error_code = 1;
+}
+
+message GetBootInfoRequest {}
+
+message GetBootInfoResponse {
+  ErrorCode error_code = 1;
+  bool is_unlocked = 2;
+  BootColor boot_color = 3;
+  bytes boot_key = 4;               // This is a SHA256 digest.
+  bytes boot_hash = 5;              // This is a SHA256 digest.
+}
+
+message ProvisionPresharedSecretRequest {
+  bytes preshared_secret = 1;
+  bool get_status = 2;
+}
+message ProvisionPresharedSecretResponse {
+  ErrorCode error_code = 1;
+  PresharedSecretStatus status = 2;
+  BootColor color = 3;
+  bytes digest = 4;
+}
+
+message ProvisionCertificatesRequest {
+  uint32 block_number = 1;
+  bytes cert_block = 2;
+  bytes digest = 3;
+}
+message ProvisionCertificatesResponse {
+  ErrorCode error_code = 1;
+  CertificateStatus cert_status = 2;
+}
+
+message ReadCertificateRequest {
+  AttestationSelector selector = 1;
+  Algorithm algorithm = 2;
+}
+message ReadCertificateResponse {
+  ErrorCode error_code = 1;
+  Certificate cert = 2;
+}
+
+message VigoReadVSRequest {}
+message VigoReadVSResponse {
+  ErrorCode error_code = 1;
+  VigoKey vs_key = 2;
+}
+message VigoStartChannelRequest {
+  VigoKey client_key = 1;
+}
+message VigoStartChannelResponse {
+  ErrorCode error_code = 1;
+  VigoKey server_key = 2;
+  VigoSignature channel_signature = 3;
+}
+message VigoStoreSecretRequest {
+  VigoKey rs_key = 1;
+  VigoSecret secret_encrypted = 2;
+}
+message VigoStoreSecretResponse {
+  ErrorCode error_code = 1;
+}
+message VigoReleaseSecretRequest {
+  VigoSignature rs_signature = 1;
+}
+message VigoReleaseSecretResponse {
+  ErrorCode error_code = 1;
+  VigoSecret secret_encrypted = 2;
+}
+
+// IdentityStartAttestKey
+message IdentityStartAttestKeyRequest {
+  bytes pubkey = 1;
+  KeyParameters params = 2;
+  uint32 attestation_app_id_len = 3;
+  AttestationSelector selector = 4;
+  bytes not_before = 5;      // strftime('%y%m%d%H%M%SZ') [15 octects]
+  bytes not_after = 6;       // strftime('%y%m%d%H%M%SZ') [15 octects]
+  uint64 creation_time_ms = 7;      // Rough current time (ms since epoch).
+  bool use_km_attest_key = 8;
+  bytes caller_issuer_subj_name = 9;
+}
+message IdentityStartAttestKeyResponse {
+  ErrorCode error_code = 1;
+  OperationHandle handle = 2;
+  bytes certificate_prologue = 3;
+}
+
+// IdentityFinishAttestKeyRequest
+message IdentityFinishAttestKeyRequest {
+  OperationHandle handle = 1;
+  bool use_km_attest_key = 2;
+  KeyBlob caller_blob = 3;
+}
+message IdentityFinishAttestKeyResponse {
+  ErrorCode error_code = 1;
+  bytes certificate_epilogue = 2;
+  ChipFusing chip_fusing = 3;
+  bool nodelocked_ro = 4;
+}
+
+// pKVM messages
+message GetPerFactoryResetValueRequest {
+  bool bootloader_only = 1;
+  bytes input = 2;
+}
+message GetPerFactoryResetValueResponse {
+  ErrorCode error_code = 1;
+  bytes output = 2;
+}
+
+// RKP messages
+message GenerateRkpKeyRequest{
+  bool test_mode = 1;
+  KeyParameters params = 2;
+  KeyBlob blob = 3;
+}
+message GenerateRkpKeyResponse{
+  ErrorCode error_code = 1;
+  bytes maced_public_key = 2;
+}
+
+message GenerateRkpCsrRequest{
+  bool test_mode = 1;
+  KeysToSign keys_to_sign = 2;
+  bytes endpoint_enc_cert_chain = 3;
+  bytes challenge = 4;
+}
+message GenerateRkpCsrResponse{
+  ErrorCode error_code = 1;
+  bytes keys_to_sign_mac = 2;
+  bytes device_info_blob = 3;
+  bytes protected_data_blob = 4;
+}
+
+message GenerateRkpCsrV2Request{
+  RkpCsrV2Operation step = 1;
+  bytes challenge = 2;
+  uint32 num_of_public_keys = 3;
+  MacedKey key_to_sign = 4;
+  OperationHandle handle = 5;
+}
+message GenerateRkpCsrV2Response{
+  ErrorCode error_code = 1;
+  OperationHandle handle = 2;
+  bytes device_info_blob = 3;
+  bytes dice_cert_chain = 4;
+  bytes signature = 5;
+}
diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster_defs.proto b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_defs.proto
new file mode 100644
index 0000000..1927026
--- /dev/null
+++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_defs.proto
@@ -0,0 +1,340 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package nugget.app.keymaster.ctdl;
+
+/*
+ * Minimal type definitions required for building protos.  Sourced from:
+ *     ::android::hardware::keymaster::V3_0
+ */
+enum TagType {
+  TAG_TYPE_INVALID = 0x0;  /* 0 << 16 */
+  ENUM = 0x10000;          /* 1 << 16 */
+  ENUM_REP = 0x20000;      /* 2 << 16 */
+  UINT = 0x30000;          /* 3 << 16 */
+  UINT_REP = 0x40000;      /* 4 << 16 */
+  ULONG = 0x50000;         /* 5 << 16 */
+  DATE = 0x60000;          /* 6 << 16 */
+  BOOL = 0x70000;          /* 7 << 16 */
+  BIGNUM_ = 0x80000;       /* 8 << 16 */
+  BYTES = 0x90000;         /* 9 << 16 */
+  ULONG_REP = 0xA0000;     /* 10 << 16 */
+};
+
+enum Tag {
+  TAG_INVALID = 0; // (TagType:INVALID | 0)
+  PURPOSE = 0x20001; // (TagType:ENUM_REP | 1)
+  ALGORITHM = 0x10002; // (TagType:ENUM | 2)
+  KEY_SIZE = 0x30003; // (TagType:UINT | 3)
+  BLOCK_MODE = 0x20004; // (TagType:ENUM_REP | 4)
+  DIGEST = 0x20005; // (TagType:ENUM_REP | 5)
+  PADDING = 0x20006; // (TagType:ENUM_REP | 6)
+  CALLER_NONCE = 0x70007; // (TagType:BOOL | 7)
+  MIN_MAC_LENGTH = 0x30008; // (TagType:UINT | 8)
+  /* RESERVED: KDF = 0x20009; // (TagType:ENUM_REP | 9) */
+  EC_CURVE = 0x1000a; // (TagType:ENUM | 10)
+  RSA_PUBLIC_EXPONENT = 0x500c8; // (TagType:ULONG | 200)
+  /* RESERVED: ECIES_SINGLE_HASH_MODE = 0x700c9; // (TagType:BOOL | 201) */
+  INCLUDE_UNIQUE_ID = 0x700ca; // (TagType:BOOL | 202)
+  RSA_OAEP_MGF_DIGEST = 0x200cb; // (TagType:ENUM_REP | 203)
+  BLOB_USAGE_REQUIREMENTS = 0x1012d; // (TagType:ENUM | 301)
+  BOOTLOADER_ONLY = 0x7012e; // (TagType:BOOL | 302)
+  ROLLBACK_RESISTANCE = 0x7012f; // (TagType:BOOL | 303)
+  HARDWARE_TYPE = 0x10130; // TagType:ENUM | 304,
+  EARLY_BOOT_ONLY = 0x70131;  // TagType:BOOL | 305,
+  ACTIVE_DATETIME = 0x60190; // (TagType:DATE | 400)
+  ORIGINATION_EXPIRE_DATETIME = 0x60191; // (TagType:DATE | 401)
+  USAGE_EXPIRE_DATETIME = 0x60192; // (TagType:DATE | 402)
+  MIN_SECONDS_BETWEEN_OPS = 0x30193; // (TagType:UINT | 403)
+  MAX_USES_PER_BOOT = 0x30194; // (TagType:UINT | 404)
+  USAGE_COUNT_LIMIT = 0x30195; // (TagType:UINT | 405)
+  /* RESERVED: ALL_USERS = 0x701f4; // (TagType:BOOL | 500) */
+  USER_ID = 0x301f5; // (TagType:UINT | 501)
+  USER_SECURE_ID = 0xa01f6; // (TagType:ULONG_REP | 502)
+  NO_AUTH_REQUIRED = 0x701f7; // (TagType:BOOL | 503)
+  USER_AUTH_TYPE = 0x101f8; // (TagType:ENUM | 504)
+  AUTH_TIMEOUT = 0x301f9; // (TagType:UINT | 505)
+  ALLOW_WHILE_ON_BODY = 0x701fa; // (TagType:BOOL | 506)
+  TRUSTED_USER_PRESENCE_REQUIRED = 0x701fb; // (TagType:BOOL | 507)
+  TRUSTED_CONFIRMATION_REQUIRED = 0x701fc;  // (TagType:BOOL | 508)
+  UNLOCKED_DEVICE_REQUIRED = 0x701fd;  //  (TagType:BOOL | 509)
+  /* RESERVED: ALL_APPLICATIONS = 0x70258; // (TagType:BOOL | 600) */
+  APPLICATION_ID = 0x90259; // (TagType:BYTES | 601)
+  /* RESERVED: EXPORTABLE = 0x7025a; // (TagType:BOOL | 602) */
+  APPLICATION_DATA = 0x902bc; // (TagType:BYTES | 700)
+  CREATION_DATETIME = 0x602bd; // (TagType:DATE | 701)
+  ORIGIN = 0x102be; // (TagType:ENUM | 702)
+  /* RESERVED: ROLLBACK_RESISTANT = 0x702bf; // (TagType:BOOL | 703) */
+  ROOT_OF_TRUST = 0x902c0; // (TagType:BYTES | 704)
+  OS_VERSION = 0x302c1; // (TagType:UINT | 705)
+  OS_PATCHLEVEL = 0x302c2; // (TagType:UINT | 706)
+  UNIQUE_ID = 0x902c3; // (TagType:BYTES | 707)
+  ATTESTATION_CHALLENGE = 0x902c4; // (TagType:BYTES | 708)
+  ATTESTATION_APPLICATION_ID = 0x902c5; // (TagType:BYTES | 709)
+  ATTESTATION_ID_BRAND = 0x902c6; // (TagType:BYTES | 710)
+  ATTESTATION_ID_DEVICE = 0x902c7; // (TagType:BYTES | 711)
+  ATTESTATION_ID_PRODUCT = 0x902c8; // (TagType:BYTES | 712)
+  ATTESTATION_ID_SERIAL = 0x902c9; // (TagType:BYTES | 713)
+  ATTESTATION_ID_IMEI = 0x902ca; // (TagType:BYTES | 714)
+  ATTESTATION_ID_MEID = 0x902cb; // (TagType:BYTES | 715)
+  ATTESTATION_ID_MANUFACTURER = 0x902cc; // (TagType:BYTES | 716)
+  ATTESTATION_ID_MODEL = 0x902cd; // (TagType:BYTES | 717)
+  VENDOR_PATCHLEVEL = 0x302ce; // (TagType:UINT | 718)
+  BOOT_PATCHLEVEL = 0x302cf; // (TagType:UINT | 719)
+  DEVICE_UNIQUE_ATTESTATION = 0x702d0;  // (TagType:BOOL | 720)
+  IDENTITY_CREDENTIAL_KEY = 0x702d1;    // (TagType:BOOL | 721)
+  STORAGE_KEY = 0x702d2;                // (TagType:BOOL | 722)
+  ATTESTATION_ID_SECOND_IMEI = 0x902d3; // (TagType:BYTES | 723)
+  ASSOCIATED_DATA = 0x903e8; // (TagType:BYTES | 1000)
+  NONCE = 0x903e9; // (TagType:BYTES | 1001)
+  /* RESERVED: AUTH_TOKEN = 0x903ea; // (TagType:BYTES | 1002) */
+  MAC_LENGTH = 0x303eb; // (TagType:UINT | 1003)
+  RESET_SINCE_ID_ROTATION = 0x703ec; // (TagType:BOOL | 1004)
+  CONFIRMATION_TOKEN = 0x903ed; // (TagType:BYTES | 1005)
+  CERTIFICATE_SERIAL = 0x803ee; // (TagType:BIGNUM | 1006)
+  CERTIFICATE_SUBJECT = 0x903ef; // (TagType:BYTES | 1007)
+};
+
+enum Algorithm {
+  RSA = 0;
+  EC = 1;
+  AES = 2;
+  DES = 3;
+  HMAC = 4;
+  ALGORITHM_MAX = 5;
+};
+
+enum BlockMode {
+  ECB = 0;
+  CBC = 1;
+  CTR = 2;
+  GCM = 3;
+  BLOCK_MODE_MAX = 4;
+};
+
+enum PaddingMode {
+  PADDING_NONE = 0;
+  PADDING_RSA_OAEP = 1;
+  PADDING_RSA_PSS = 2;
+  PADDING_RSA_PKCS1_1_5_ENCRYPT = 3;
+  PADDING_RSA_PKCS1_1_5_SIGN = 4;
+  PADDING_PKCS7 = 5;
+  PADDING_MODE_MAX = 6;
+};
+
+enum Digest {
+  DIGEST_NONE = 0;
+  DIGEST_MD5 = 1;
+  DIGEST_SHA1 = 2;
+  DIGEST_SHA_2_224 = 3;
+  DIGEST_SHA_2_256 = 4;
+  DIGEST_SHA_2_384 = 5;
+  DIGEST_SHA_2_512 = 6;
+  DIGEST_MAX = 7;
+};
+
+enum EcCurve {
+  P_224 = 0;
+  P_256 = 1;
+  P_384 = 2;
+  P_521 = 3;
+  EC_CURVE_MAX = 4;
+};
+
+enum KeyOrigin {
+  GENERATED = 0;
+  DERIVED = 1;
+  IMPORTED = 2;
+  UNKNOWN = 3;
+  SECURELY_IMPORTED = 4;
+  KEY_ORIGIN_MAX = 5;
+};
+
+enum KeyBlobUsageRequirements {
+  STANDALONE = 0;
+  REQUIRES_FILE_SYSTEM = 1;
+  KEY_USAGE_MAX = 2;
+};
+
+enum KeyPurpose {
+  ENCRYPT = 0;
+  DECRYPT = 1;
+  SIGN = 2;
+  VERIFY = 3;
+  /* RESERVED: DERIVE_KEY = 4; */
+  WRAP_KEY = 5;
+  AGREE_KEY = 6;
+  ATTEST_KEY = 7;
+  PURPOSE_MAX = 8;
+};
+
+enum ErrorCode {
+  OK = 0;
+  ROOT_OF_TRUST_ALREADY_SET = 1;
+  UNSUPPORTED_PURPOSE = 2;
+  INCOMPATIBLE_PURPOSE = 3;
+  UNSUPPORTED_ALGORITHM = 4;
+  INCOMPATIBLE_ALGORITHM = 5;
+  UNSUPPORTED_KEY_SIZE = 6;
+  UNSUPPORTED_BLOCK_MODE = 7;
+  INCOMPATIBLE_BLOCK_MODE = 8;
+  UNSUPPORTED_MAC_LENGTH = 9;
+  UNSUPPORTED_PADDING_MODE = 10;
+  INCOMPATIBLE_PADDING_MODE = 11;
+  UNSUPPORTED_DIGEST = 12;
+  INCOMPATIBLE_DIGEST = 13;
+  INVALID_EXPIRATION_TIME = 14;
+  INVALID_USER_ID = 15;
+  INVALID_AUTHORIZATION_TIMEOUT = 16;
+  UNSUPPORTED_KEY_FORMAT = 17;
+  INCOMPATIBLE_KEY_FORMAT = 18;
+  UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = 19;
+  UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = 20;
+  INVALID_INPUT_LENGTH = 21;
+  KEY_EXPORT_OPTIONS_INVALID = 22;
+  DELEGATION_NOT_ALLOWED = 23;
+  KEY_NOT_YET_VALID = 24;
+  KEY_EXPIRED = 25;
+  KEY_USER_NOT_AUTHENTICATED = 26;
+  OUTPUT_PARAMETER_NULL = 27;
+  INVALID_OPERATION_HANDLE = 28;
+  INSUFFICIENT_BUFFER_SPACE = 29;
+  VERIFICATION_FAILED = 30;
+  TOO_MANY_OPERATIONS = 31;
+  UNEXPECTED_NULL_POINTER = 32;
+  INVALID_KEY_BLOB = 33;
+  IMPORTED_KEY_NOT_ENCRYPTED = 34;
+  IMPORTED_KEY_DECRYPTION_FAILED = 35;
+  IMPORTED_KEY_NOT_SIGNED = 36;
+  IMPORTED_KEY_VERIFICATION_FAILED = 37;
+  INVALID_ARGUMENT = 38;
+  UNSUPPORTED_TAG = 39;
+  INVALID_TAG = 40;
+  MEMORY_ALLOCATION_FAILED = 41;
+  IMPORT_PARAMETER_MISMATCH = 42;
+  SECURE_HW_ACCESS_DENIED = 43;
+  OPERATION_CANCELLED = 44;
+  CONCURRENT_ACCESS_CONFLICT = 45;
+  SECURE_HW_BUSY = 46;
+  SECURE_HW_COMMUNICATION_FAILED = 47;
+  UNSUPPORTED_EC_FIELD = 48;
+  MISSING_NONCE = 49;
+  INVALID_NONCE = 50;
+  MISSING_MAC_LENGTH = 51;
+  KEY_RATE_LIMIT_EXCEEDED = 52;
+  CALLER_NONCE_PROHIBITED = 53;
+  KEY_MAX_OPS_EXCEEDED = 54;
+  INVALID_MAC_LENGTH = 55;
+  MISSING_MIN_MAC_LENGTH = 56;
+  UNSUPPORTED_MIN_MAC_LENGTH = 57;
+  UNSUPPORTED_KDF = 58;
+  UNSUPPORTED_EC_CURVE = 59;
+  KEY_REQUIRES_UPGRADE = 60;
+  ATTESTATION_CHALLENGE_MISSING = 61;
+  KEYMASTER_NOT_CONFIGURED = 62;
+  ATTESTATION_APPLICATION_ID_MISSING = 63;
+  CANNOT_ATTEST_IDS = 64;
+  UNIMPLEMENTED = 65;
+  VERSION_MISMATCH = 66;
+  ROLLBACK_RESISTANCE_UNAVAILABLE = 67;
+  HARDWARE_TYPE_UNAVAILABLE = 68;
+  PROOF_OF_PRESENCE_REQUIRED = 69;
+  CONCURRENT_PROOF_OF_PRESENCE_REQUESTED = 70;
+  UNKNOWN_ERROR = 71;
+  INVALID_DEVICE_IDS = 72;                // Vendor specific.
+  PRODUCTION_MODE_PROVISIONING = 73;      // Vendor specific.
+  NO_USER_CONFIRMATION = 74;
+  KEY_UPGRADE_NOT_REQUIRED = 75;          // Vendor specific.
+  DEVICE_LOCKED = 76;
+  EARLY_BOOT_ENDED = 77;
+  ATTESTATION_KEYS_NOT_PROVISIONED = 78;
+  ATTESTATION_IDS_NOT_PROVISIONED = 79;
+  INVALID_OPERATION = 80;
+  STORAGE_KEY_UNSUPPORTED = 81;
+  INCOMPATIBLE_MGF_DIGEST = 82;
+  UNSUPPORTED_MGF_DIGEST = 83;
+  INVALID_MAC = 84;                       // RKP specific.
+  PRODUCTION_KEY_IN_TEST_REQUEST = 85;    // RKP specific.
+  TEST_KEY_IN_PRODUCTION_REQUEST = 86;    // RKP specific.
+  INVALID_EEK = 87;                       // RKP specific.
+};
+
+enum SecurityLevel {
+  SOFTWARE = 0;
+  TRUSTED_ENVIRONMENT = 1;
+  STRONGBOX = 2;
+};
+
+// NOTE: these enum values must be kept in sync with the HAL,
+// as they are used in an HMAC calculation.
+enum HardwareAuthenticatorType {
+  HW_AUTH_NONE = 0;
+  HW_AUTH_PASSWORD = 1;
+  HW_AUTH_FINGERPRINT = 2;
+  // Additional entries must be powers of 2.
+};
+
+enum KeyFormat {
+  X509 = 0;   /* for public key export */
+  PKCS8 = 1;  /* for asymmetric key pair import */
+  RAW = 3;    /* for symmetric key import and export*/
+}
+
+enum DTupError {
+  DTUP_OK = 0;
+  DTUP_NO_EVENT = 1;
+}
+
+/* matches Linux event device codes */
+enum DTupKeyEvent {
+    DTUP_RESERVED = 0;
+    DTUP_VOL_DOWN = 114;
+    DTUP_VOL_UP = 115;
+    DTUP_PWR = 116;
+}
+
+enum BootColor {
+    BOOT_VERIFIED_GREEN = 0;
+    BOOT_SELFSIGNED_YELLOW = 1;
+    BOOT_UNVERIFIED_ORANGE = 2;
+    BOOT_VERIFY_FAILED_RED = 3;
+}
+
+enum ChipFusing {
+    FUSING_PROTO = 0;
+    FUSING_DVT = 1;
+    FUSING_PVT = 2;     // Strongbox gen v0 certs.
+    FUSING_PVT_1 = 3;   // Strongbox gen v1 certs.
+    FUSING_D_PVT = 4;   // Dauntless gen v0 certs.
+    FUSING_D_PVT_1 = 5; // Dauntless gen v1 certs.
+    FUSING_D_PVT_2 = 6; // Dauntless gen v2 certs (D3M2).
+}
+
+enum CertificateStatus {
+  CERT_PREVIOUSLY_PROVISIONED = 0;
+  CERT_MISSING = 1;
+  CERT_CHECKSUM = 2;
+  CERT_UNKNOWN_ERROR = 3;
+  CERT_WRONG_PACKET = 4;
+}
+
+enum RkpCsrV2Operation {
+  RKP_CSR_V2_BEGIN = 0;
+  RKP_CSR_V2_UPDATE = 1;
+  RKP_CSR_V2_FINISH = 2;
+}
diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.options b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.options
new file mode 100644
index 0000000..b38e786
--- /dev/null
+++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.options
@@ -0,0 +1,12 @@
+nugget.app.keymaster.ctdl.KeyParameters.params max_count:20
+nugget.app.keymaster.ctdl.HmacSharingParameters.seed max_size:32
+nugget.app.keymaster.ctdl.HmacSharingParameters.nonce max_size:32
+nugget.app.keymaster.ctdl.HardwareAuthToken.mac max_size:32
+nugget.app.keymaster.ctdl.VerificationToken.mac max_size:32
+nugget.app.keymaster.ctdl.VigoKey.x max_size:64
+nugget.app.keymaster.ctdl.VigoSignature.r max_size:32
+nugget.app.keymaster.ctdl.VigoSignature.s max_size:32
+nugget.app.keymaster.ctdl.VigoSecret.material max_size:32
+nugget.app.keymaster.ctdl.VigoSecret.iv max_size:16
+nugget.app.keymaster.ctdl.VigoSecret.tag max_size:16
+nugget.app.keymaster.ctdl.KeysToSign.keys max_count:20
diff --git a/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.proto b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.proto
new file mode 100644
index 0000000..6a8f5a8
--- /dev/null
+++ b/nugget/proto/nugget/app/keymaster/ctdl/keymaster_types.proto
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package nugget.app.keymaster.ctdl;
+
+import "nugget/app/keymaster/ctdl/keymaster_defs.proto";
+
+message KeyParameter {
+  Tag tag = 1;      /* Possible values defined here
+                     * ::android::hardware::keymaster::V3_0::Tag
+                     */
+  uint32 integer = 2;
+  uint64 long_integer = 3;
+  bytes blob = 4;
+}
+
+message KeyParameters {
+  repeated KeyParameter params = 1;
+}
+
+message KeyBlob {
+  bytes blob = 1;
+}
+
+message OperationHandle {
+  uint64 handle = 1;
+}
+
+message Certificate {
+  bytes data = 1;
+}
+
+message CertificateChain {
+  repeated Certificate certificates = 1;
+}
+
+message KeyCharacteristics {
+  KeyParameters software_enforced = 1;
+  KeyParameters tee_enforced = 2;
+}
+
+message HmacSharingParameters {
+  bytes seed = 1;
+  bytes nonce = 2;
+}
+
+message HardwareAuthToken {
+  uint64 challenge = 1;
+  uint64 user_id = 2;
+  uint64 authenticator_id = 3;
+  // Deprecated in favor of tag 7.
+  // HardwareAuthenticatorType authenticator_type = 4;
+  uint64 timestamp = 5;
+  bytes mac = 6;
+  uint32 authenticator_type = 7;
+}
+
+message VerificationToken {
+  uint64 challenge = 1;
+  uint64 timestamp = 2;
+  KeyParameters params_verified = 3;
+  SecurityLevel security_level = 4;
+  bytes mac = 5;
+}
+
+/*
+ * Internal types.
+ */
+message RSAKey {
+  uint32 e = 1;
+  bytes d = 2;
+  bytes n = 3;
+}
+
+message ECKey {
+  /* TODO: should this be EcCurve. */
+  uint32 curve_id = 1;
+  bytes d = 2;
+  bytes x = 3;
+  bytes y = 4;
+}
+
+message SymmetricKey {
+  bytes material = 1;
+}
+
+enum PresharedSecretStatus {
+  NOT_SET = 0;
+  ALREADY_SET = 1;
+}
+
+enum AttestationSelector {
+  ATTEST_TEST = 0;
+  ATTEST_BATCH = 1;
+  ATTEST_INDIVIDUAL = 2;
+  ATTEST_SELF = 3;
+  ATTEST_CALLER = 4;
+}
+
+message VigoKey {
+  bytes x = 1;
+}
+
+message VigoSignature {
+  bytes r = 1;
+  bytes s = 2;
+}
+
+message VigoSecret {
+  bytes material = 1;
+  bytes iv = 2;
+  bytes tag = 3;
+}
+
+message MacedKey{
+  bytes blob = 1;
+}
+
+message KeysToSign {
+  repeated MacedKey keys = 1;
+}
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_types.options b/nugget/proto/nugget/app/keymaster/keymaster_types.options
index 417e181..6ffce96 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_types.options
+++ b/nugget/proto/nugget/app/keymaster/keymaster_types.options
@@ -1,4 +1,4 @@
-nugget.app.keymaster.KeyParameters.params max_count:20
+nugget.app.keymaster.KeyParameters.params max_count:25
 nugget.app.keymaster.HmacSharingParameters.seed max_size:32
 nugget.app.keymaster.HmacSharingParameters.nonce max_size:32
 nugget.app.keymaster.HardwareAuthToken.mac max_size:32
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-11-17 00:08:35 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-11-17 00:08:35 +0000
commit	7472783e26c7043abe17bd43d55261fe1db1a490 (patch)
tree	02c02738ec837576e81b8715ec8abb6552bba8f7
parent	5ff2431d2c77a8d3ea438b808937390dad6d55d1 (diff)
parent	714c84a9225098abc2895d210bd4d56112802416 (diff)
download	generic-android14-qpr2-s3-release.tar.gz