aboutsummaryrefslogtreecommitdiffstats
path: root/9_security-model
Commit message (Collapse)AuthorAgeFilesLines
...
| * CDD: Scope Factory Data Reset(FDR) wording to userdata partition.Jeff Vander Stoep2019-08-231-5/+1
| | | | | | | | | | | | | | | | This is to improve user data privacy. Bug: 124238463 Test: None Change-Id: I0a098daec3362417b105bda7be56cea424f62253
* | CDD: Revise section about Android Protected Confirmation APIJanis Danisevskis2019-08-231-5/+8
|/ | | | | | | | | | - Make the security requirements more concise to cover a larger design space of possible implementations while preserving the expected security guarantees. Bug: 119186987 Test: n/a Change-Id: I64a7b52a1218df8f16a2a6bb63f1d78465b9d916
* CDD: Permisssions for the hardRestricted levelPhilip P. Moltmann2019-08-231-0/+18
| | | | | | | | | | - The permission model (including permission) restriction is the most important mechanism to protect the users privacy - Apps need a consitent permission model to be able to effectivly deal with user data Fixes: 124522273 Change-Id: If85a3f266ab75de64e5ac840101fb3ce983e179d
* CDD: Clarify privacy requirement for bugreports.Vasco Brito2019-08-231-2/+2
| | | | | | | | | | | Clarify that bugreports are covered by the following requirement: MUST NOT preload or distribute software components out-of-box that send user's private information off the device without the user's consent or clear ongoing notifications. Bug: 132458597 Test: N/A Change-Id: I4d1732bb45153e5eccce1964437f9bdf25350d54
* CDD: Require new device identifier access restrictionsMichael Groover2019-08-231-0/+14
| | | | | | | | | Devices must prevent access to all device identifiers from an app that does not meet one of the new requirements. Bug: 123367433 Test: N/A Change-Id: I683ff569f8f51c38fa4defa0f60c898ea48414ab
* Merge "CDD: Relax hardware vulnerability requirements" into qt-devVikas Marwaha2019-08-231-3/+7
|\
| * CDD: Relax hardware vulnerability requirementsJeff Vander Stoep2019-08-061-3/+7
| | | | | | | | | | | | | | Limit mitigation requirements to vulnerable hardware. Bug: 122834364 Change-Id: If81385671bfd42f0d100f139c081fd759de81cd0
* | Merge "CDD: Update CDD for CFI and SCS" into qt-devVikas Marwaha2019-08-231-12/+12
|\ \
| * | CDD: Update CDD for CFI and SCSJeff Vander Stoep2019-07-081-12/+12
| |/ | | | | | | | | | | | | | | | | | | -Strongly recommend shadow-call-stack (SCS) and control-flow-integrity (CFI) for the kernel and userspace to provide additional protection against code-reuse attacks. Bug: 123365748 Test: -- Change-Id: Ida7b2f190da26439443d5247d467047e134933c1
* | CDD: Strongly recommend StrongBox for devices with secure processorsShawn Willden2019-08-231-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | This arguably is a weakening of the P recommendation, but it's part of an incremental strategy to mandate StrongBox across the entire ecosystem. We'll start by recommending it for devices with the necessary hardware, then move to mandating it for such devices and recommending that all devices add such hardware, then mandate it for all devices. Bug: 135707870 Test: N/A Change-Id: Idf18fde8fc163ee0944a6ce1e611441414ebc461
* | Merge "CDD: Align mic and playback capture requirement" into qt-devSachiyo Sugimoto2019-08-231-1/+2
|\ \
| * | CDD: Align mic and playback capture requirementKevin Rocard2019-07-081-1/+2
| |/ | | | | | | | | | | | | | | | | | | | | - The two audio sources should have the same privacy requirements. - Some typo correction for section 5.4. Test: N/A Bug: 124333245 Change-Id: Ida67df090b028b35f0dbea84c1e43de8339c5696 Signed-off-by: Kevin Rocard <krocard@google.com>
* | CDD: Remove "shared device" exception for encryptionGreg Kaiser2019-05-171-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -This can potentially be used to try to gain exceptions for devices we never envisioned (for example, many phones allow multiple user accounts, and any device shipping with family features is pretty much by definition going to be "shared"). -This exception was also somewhat designed for devices with lower hardware capabilities. But with Adiantum available, we haven't seen any data showing such an exception is still needed. Bug: 124123642 Test: None Change-Id: Ie2b3f0b5be2c8cda80176160255558e6e5a2cff5
* | CDD: Remove encryption performance exceptionGreg Kaiser2019-05-171-16/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | We now require encryption on all devices, without any exceptions for performance. For devices which lack AES CPU instructions, and thus have performance concerns with AES, we allow the use of Adiantum as the encryption method. Bug: 118200376 Test: None Change-Id: I219fd6d1733c053741d8b71b7f5bd067938d1196
* | CDD: Remove FDE, mandate FBE where encryption is mandatedPaul Crowley2019-05-171-50/+25
|/ | | | | | | | | - Already-launched devices are exempted, and must instead follow mandates of their launch CDD. Bug: 118760699 Test: not applicable to CDD changes Change-Id: Icea70b46c986af187248d9b946e5c17d2b8ef1dd
* CDD: Clarify data deletion requirementsMaddie Stone2019-02-211-3/+4
| | | | | | | | | | | - Make it clear that all generated data, not just user-generated data should be deleted on factory device reset. - Clarify that only operating system files on read-only filesystems are exempt from being deleted. Bug: 124238463 Test: None Change-Id: I3cd0bb57ed2c425763b7a50849dc216bc5dcab50
* Docs: Errata for Android 9 CDD.android-o-mr1-iot-release-smart-display-r3android-o-mr1-iot-release-1.0.5android-o-mr1-iot-release-1.0.4oreo-mr1-1.2-iot-releasemaster-cuttlefish-testing-releaseGina Dimino2018-08-094-22/+10
| | | | | | | | | | - Fixed Section 9.10 by removing C-2-1 due to the introduction of C-0-2 - Fixed typos in other sections Bug: 112010610 Test: ./cdd_gen.sh --version 9 --branch pie-dev Change-Id: Ie4003beb20425a7fc83cf68ea23772aca389b85b
* Merge pi-dev as of ag/4582919 into stage-aosp-master.Xin Li2018-08-036-147/+380
|\ | | | | | | | | Bug: 112189069 Change-Id: I67297b2d6eb189283acb350c1001010f0e9c81d9
| * CDD: Move the req of supporting encryption under perf carve-outGreg Kaiser2018-08-021-21/+23
| | | | | | | | | | | | | | | | | | | | - Ensure the consistent security across devices - Replace the carve-out of secure lock screen with the perf carve-out for supporting encryption Test: None Bug: 71909258 Change-Id: Ied56bb0bdd99e3f27e68c13829073c5982019c74
| * Merge "CDD: Require logging of some basic events available to app developers ↵TreeHugger Robot2018-08-021-2/+12
| |\ | | | | | | | | | through statsd." into pi-dev
| | * CDD: Require logging of some basic events available to app developers ↵Joe Onorato2018-08-021-2/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | through statsd. Enlist required fields to be more specific about what is needed for developer tools and what is needed for privacy. Bug: 76161779 Bug: 74125988 Test: None Change-Id: I4ff9a73f72c3270caaac0f116297d666a58561fb
| * | CDD: Clarifying kernel page table isolationsachiyo2018-08-021-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | - Modifying the requirement language for C-0-12(kernel page table isolation) requirement to add clarity. Bug: 79088532 Change-Id: If3b3da40b78203c177cb4b833ea49837336a72b7
| * | Merge "CDD: Requirements for services that have access to ↵TreeHugger Robot2018-08-021-1/+9
| |\ \ | | | | | | | | | | | | "android.permission.RECOVER_KEYSTORE"" into pi-dev
| | * | CDD: Requirements for services that have access to ↵Bo Zhu2018-08-021-1/+9
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "android.permission.RECOVER_KEYSTORE" - Prevent brute-force attacks on the lockscreen knowledge factor. Bug: 73599998 Test: None Change-Id: I8f7fa701b11f015e26429c4683a36d37aa2faa47
| * | Merge "CDD: Add section about Android Protected Confirmation API" into pi-devTreeHugger Robot2018-08-011-0/+17
| |\ \
| | * | CDD: Add section about Android Protected Confirmation APIDavid Zeuthen2018-08-011-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Device implementations with secure hardware may implement the Android Protected Confirmation API to request the user to approve a textual message. Bug: 73001803 Test: n/a Change-Id: I96c5929b0b4ab99b31a9fe7ca0ac82710f94cdca
| * | | Merge "CDD: Update CDD language for biometrics and lockscreen." into pi-devTreeHugger Robot2018-08-011-102/+180
| |\ \ \ | | |/ / | |/| |
| | * | CDD: Update CDD language for biometrics and lockscreen.Vishwath Mohan2018-08-011-102/+180
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This CL makes CDD changes that are aimed at providing more explicit guidance on creating secure biometric based unlocks, and on consolidating the CDD language for secure lockscreens to make the authentication model consistent with our security bar. More specifically, it changes the following things: (1) A new section similar to "7.3.10 Fingerprint Sensors" that's more generic and applicable to all biometric sensors. Should have mostly the same constraints but slightly altered where necessary. (2) Language that deals with match-on-chip solutions for biometrics. (3) A new requirement in 9.11 that mandates keeping a minimum Sleep timeout of at most 15 seconds. (4) New requirements in "9.11.1 Secure Lock Screens" that: (a) Constrain what a primary authentication can be. (b) Adds information related to alternate biometric unlocks and adhering to the SAR/IAR bar that was introduced in the 8.1 CDD (c) Adds requirements around 'passive' biometric unlocks like Face when used to unlock keystore keys. (d) Clarifies some language around falling back to requiring primary auth every 72 hours for all non-primary modes of authentication (5) Removes the API requirement to return false for both the KeyguardManager.isKeyguardSecure() and the KeyguardManager.isDeviceSecure() methods. Bug: 73723272 Bug: 77656214 Bug: 111053551 Test: -- Change-Id: Iede9eba5ac79de56802cd830c3dc4e521f40e098
| * / CDD: 9.10. Device Integrity: Change verified boot items from SR to MUST.David Zeuthen2018-08-011-8/+25
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change STRONGLY RECOMMENDED to MUST for verified boot items and slight cleanup of language used: - MUST use tamper-evident storage: for storing whether the bootloader is unlocked. Tamper-evident storage means that the boot loader can detect if the storage has been tampered with from inside Android. - MUST prompt the user, while using the device, and require physical confirmation before allowing a transition from boot loader locked mode to boot loader unlocked mode. - MUST implement rollback protection for the partitions used by Android (e.g. boot, system partitions) and use tamper-evident storage for storing the metadata used for determining the minimum allowable OS version. Test: n/a Bug: 72919368 Change-Id: Ifcb0c994cb86f92a422dcde6fa6da1ca064d4ca0
| * Merge "CDD: StrongBox requirements" into pi-devTreeHugger Robot2018-07-301-7/+80
| |\
| | * CDD: StrongBox requirementsShawn Willden2018-07-271-7/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | | - Tighten the security by supporting StrongBox. - Clarifying the requirements if StrongBox is supported. Bug: 73002261 Test: N/A Change-Id: I9834ced2e697bee013cb0725f31745826da1f0c5
| * | Merge "CDD: Update CDD changes for CFI and IOSAN" into pi-devTreeHugger Robot2018-07-271-3/+17
| |\ \
| | * | CDD: Update CDD changes for CFI and IOSANVishwath Mohan2018-07-271-3/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This CL renames section 9.7 to 'Security Features' (instead of kernel security features), and adds a new sub-section for userspace specific security feature advice. There's only a single recommendation in for P, but we will be using this section to add more details and recommendations/constraints for Q. Bug: 73724250 Test: -- Change-Id: If45c5fd9b7668dcafc9ce8dbd2a59b9c4418ca42
| * | | Merge "CDD: Recommend metadata encryption" into pi-devTreeHugger Robot2018-07-271-27/+16
| |\ \ \
| | * | | CDD: Recommend metadata encryptionPaul Crowley2018-07-091-0/+3
| | | |/ | | |/| | | | | | | | | | | | | | | | | | | | | | | | | - Tighten the security. Bug: 73662717 Test: Compiled and inspected HTML Change-Id: Ib2be403ef2db8525c9ad579a289eca79132696e9
| * | | Merge "CDD: Require verified boot on all devices, including low ram devices" ↵TreeHugger Robot2018-07-271-12/+8
| |\ \ \ | | |_|/ | |/| | | | | | into pi-dev
| | * | CDD: Require verified boot on all devices, including low ram devicesGreg Kaiser2018-07-261-12/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We remove the low RAM exception for verified boot. Test: None Bug: 73374550 Change-Id: I340e8753c8648bbe2a68426123851359d4cba1cb
| | | |
| | \ \
| *-. \ \ Merge "CDD: Handheld MUST include an application that handles intents ↵Vikas Marwaha2018-07-231-13/+27
| |\ \ \ \ | | | |/ / | | |/| / | | | |/ related to Storage Access Framework (SAF)" into pi-dev
| * | | Merge "Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ↵TreeHugger Robot2018-07-221-1/+2
| |\ \ \ | | | | | | | | | | | | | | | ARM" into pi-dev
| | * | | Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ARMJeff Vander Stoep2018-07-211-1/+2
| | | |/ | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - It's incompatible with PAN emulation for arm32 kernels. - This is already implicitly tested when checking for CONFIG_CPU_SW_DOMAIN_PAN. Bug: 109828784, 74078653, 79088532, 73728376 Test: n/a Change-Id: Idb6a96d6f8c13a959b4bdc2c5580294beeff2d7c
| * | | CDD: Allow escrow keys to unlock CE storage.Paul Crowley2018-07-171-1/+1
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | - Much of the purpose of escrow keys is to allow storage to be unlocked when a user forgets their LSKF, so we must allow this in CDD. Bug: 111561428 Test: Documentation change. Change-Id: I0de44228e35728713405a8d84ec3b8e6f8a9ecbf
| * | Merge "CCD: Add recommendations for Full Stack Integrity" into pi-devVikas Marwaha2018-07-101-9/+15
| |\ \
| | * | CCD: Add recommendations for Full Stack IntegrityVictor Hsieh2018-06-251-9/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Android P adds support for extending the protections of Verified Boot beyond OS partitions to privileged apps that are installed on /data. This change recommends that device implementations perform integrity checks of these privileged apps. Test: None Bug: 73001552 Change-Id: I773c4ad431ab0f2c16a762ba342653502ea98912
| * | | Merge "CDD: Require to include only the data with 'DEST_AUTO' in the ↵Vikas Marwaha2018-07-101-1/+3
| |\ \ \ | | | | | | | | | | | | | | | incident report" into pi-dev
| | * | | CDD: Require to include only the data with 'DEST_AUTO' in the incident reportYi Jin2018-06-251-1/+3
| | | |/ | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that the data other than `DEST_AUTO` is not included in the report for privacy protection. As fields or messages annotated with DEST_AUTO can be sent by automatic means, without per-sending user consent. The user still must have previously accepted a consent to share this information. Bug: 76161779 Test: N/A Change-Id: I813c96d43395b092ab0e8681893cf205723d26bb
| * / | CDD: MUST NOT send user's private data off the device without the user's consentVikas Marwaha2018-06-261-0/+7
| |/ / | | | | | | | | | | | | | | | | | | | | | - Ensure that user's private data is protected and is not sent off the device without user's consent. Bug: 74620344 Change-Id: I41559d7d3903ea3d44d1471abe896ad7698ef6be Test: N/A
* | | Merge "CDD: Tightening kernel security requirements from SR to MUST" into pi-devJeffrey Vander Stoep2018-06-051-9/+16
|\| | | | | | | | | | | | | | | | | am: c180b33ab7 Change-Id: I98f56e36e38a6ae993da734547f56bc5985abbaa
| * | Merge "CDD: Tightening kernel security requirements from SR to MUST" into pi-devJeffrey Vander Stoep2018-06-051-9/+16
| |\ \
| | * | CDD: Tightening kernel security requirements from SR to MUSTJeff Vander Stoep2018-06-051-10/+17
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - The tightened MUST requirements are applicable for devices that originally ship with API level 28 and above. These security requirements provide better protections for the kernel by mitigating common classes of vulnerabilities and privilege escalation techniques. Bug: 74078653 Bug: 79088532 Bug: 73728376 Test: n/a Change-Id: I62450948e5474939d94b22b280d11a6d56e35f3e
* | | Merge "CDD: add per-app selinux requirements for P" into pi-devJeff Vander Stoep2018-06-041-0/+3
|\| | | | | | | | | | | | | | | | | am: 3240eddfe2 Change-Id: I7824a7cb89d99f2b4b3ccfe2d74756f3ad63ee93
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 13:53:27 +0000