Add "Unlocked device required" parameter to keys

Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: go/asym-write-test-plan

Bug: 67752510

Change-Id: I100e55de7080edb2bd705c2ab9d116f72bac97f8

5 files changed, 12 insertions, 0 deletions

diff --git a/android_keymaster/keymaster_enforcement.cpp b/android_keymaster/keymaster_enforcement.cpp
index ccb20f0..d62dc62 100644
--- a/android_keymaster/keymaster_enforcement.cpp
+++ b/android_keymaster/keymaster_enforcement.cpp
@@ -347,6 +347,11 @@ keymaster_error_t KeymasterEnforcement::AuthorizeBegin(const keymaster_purpose_t
         case KM_TAG_ALLOW_WHILE_ON_BODY:
             break;
 
+        /* TODO(bcyoung): This is currently handled in keystore, but may move to keymaster in the
+         * future */
+        case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
+            break;
+
         case KM_TAG_BOOTLOADER_ONLY:
             return KM_ERROR_INVALID_KEY_BLOB;
         }
diff --git a/android_keymaster/keymaster_tags.cpp b/android_keymaster/keymaster_tags.cpp
index 2375389..27b67c8 100644
--- a/android_keymaster/keymaster_tags.cpp
+++ b/android_keymaster/keymaster_tags.cpp
@@ -109,6 +109,8 @@ const char* StringifyTag(keymaster_tag_t tag) {
         return "KM_TAG_RESET_SINCE_ID_ROTATION";
     case KM_TAG_ALLOW_WHILE_ON_BODY:
         return "KM_TAG_ALLOW_WHILE_ON_BODY";
+    case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
+        return "KM_TAG_UNLOCKED_DEVICE_REQUIRED";
     case KM_TAG_ATTESTATION_CHALLENGE:
         return "KM_TAG_ATTESTATION_CHALLENGE";
     case KM_TAG_ATTESTATION_APPLICATION_ID:
diff --git a/include/keymaster/attestation_record.h b/include/keymaster/attestation_record.h
index 604e391..c7facd3 100644
--- a/include/keymaster/attestation_record.h
+++ b/include/keymaster/attestation_record.h
@@ -71,6 +71,7 @@ typedef struct km_auth_list {
     ASN1_INTEGER* user_auth_type;
     ASN1_INTEGER* auth_timeout;
     ASN1_NULL* allow_while_on_body;
+    ASN1_NULL* unlocked_device_required;
     ASN1_NULL* all_applications;
     ASN1_OCTET_STRING* application_id;
     ASN1_INTEGER* creation_date_time;
diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h
index ad072ec..9908119 100644
--- a/include/keymaster/keymaster_tags.h
+++ b/include/keymaster/keymaster_tags.h
@@ -151,6 +151,7 @@ DECLARE_KEYMASTER_TAG(KM_ULONG_REP, TAG_USER_SECURE_ID);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_NO_AUTH_REQUIRED);
 DECLARE_KEYMASTER_TAG(KM_UINT, TAG_AUTH_TIMEOUT);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALLOW_WHILE_ON_BODY);
+DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALL_APPLICATIONS);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_ID);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_DATA);
diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp
index fb61155..6160c2d 100644
--- a/km_openssl/attestation_record.cpp
+++ b/km_openssl/attestation_record.cpp
@@ -222,6 +222,9 @@ keymaster_error_t build_auth_list(const AuthorizationSet& auth_list, KM_AUTH_LIS
         case KM_TAG_ALLOW_WHILE_ON_BODY:
             bool_ptr = &record->allow_while_on_body;
             break;
+        case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
+            bool_ptr = &record->unlocked_device_required;
+            break;
         case KM_TAG_CALLER_NONCE:
             bool_ptr = &record->caller_nonce;
             break;