| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| |
| |
| |
| | |
This is to improve user data privacy.
Bug: 124238463
Test: None
Change-Id: I0a098daec3362417b105bda7be56cea424f62253
|
|/
|
|
|
|
|
|
|
|
| |
- Make the security requirements more concise to cover a larger design
space of possible implementations while preserving the expected
security guarantees.
Bug: 119186987
Test: n/a
Change-Id: I64a7b52a1218df8f16a2a6bb63f1d78465b9d916
|
|
|
|
|
|
|
|
|
|
| |
- The permission model (including permission) restriction is the most
important mechanism to protect the users privacy
- Apps need a consitent permission model to be able to effectivly deal
with user data
Fixes: 124522273
Change-Id: If85a3f266ab75de64e5ac840101fb3ce983e179d
|
|
|
|
|
|
|
|
|
|
|
| |
Clarify that bugreports are covered by the following requirement:
MUST NOT preload or distribute software components out-of-box that send
user's private information off the device without the user's consent or
clear ongoing notifications.
Bug: 132458597
Test: N/A
Change-Id: I4d1732bb45153e5eccce1964437f9bdf25350d54
|
|
|
|
|
|
|
|
|
| |
Devices must prevent access to all device identifiers from
an app that does not meet one of the new requirements.
Bug: 123367433
Test: N/A
Change-Id: I683ff569f8f51c38fa4defa0f60c898ea48414ab
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Limit mitigation requirements to vulnerable hardware.
Bug: 122834364
Change-Id: If81385671bfd42f0d100f139c081fd759de81cd0
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
-Strongly recommend shadow-call-stack (SCS) and control-flow-integrity
(CFI) for the kernel and userspace to provide additional protection
against code-reuse attacks.
Bug: 123365748
Test: --
Change-Id: Ida7b2f190da26439443d5247d467047e134933c1
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This arguably is a weakening of the P recommendation, but it's part of
an incremental strategy to mandate StrongBox across the entire
ecosystem. We'll start by recommending it for devices with the
necessary hardware, then move to mandating it for such devices and
recommending that all devices add such hardware, then mandate it for
all devices.
Bug: 135707870
Test: N/A
Change-Id: Idf18fde8fc163ee0944a6ce1e611441414ebc461
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- The two audio sources should have the same privacy requirements.
- Some typo correction for section 5.4.
Test: N/A
Bug: 124333245
Change-Id: Ida67df090b028b35f0dbea84c1e43de8339c5696
Signed-off-by: Kevin Rocard <krocard@google.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
-This can potentially be used to try to gain exceptions for devices
we never envisioned (for example, many phones allow multiple user
accounts, and any device shipping with family features is
pretty much by definition going to be "shared").
-This exception was also somewhat designed for devices with
lower hardware capabilities. But with Adiantum available, we
haven't seen any data showing such an exception is still
needed.
Bug: 124123642
Test: None
Change-Id: Ie2b3f0b5be2c8cda80176160255558e6e5a2cff5
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We now require encryption on all devices, without any
exceptions for performance.
For devices which lack AES CPU instructions, and thus have
performance concerns with AES, we allow the use of Adiantum as
the encryption method.
Bug: 118200376
Test: None
Change-Id: I219fd6d1733c053741d8b71b7f5bd067938d1196
|
|/
|
|
|
|
|
|
|
| |
- Already-launched devices are exempted, and must instead follow
mandates of their launch CDD.
Bug: 118760699
Test: not applicable to CDD changes
Change-Id: Icea70b46c986af187248d9b946e5c17d2b8ef1dd
|
|
|
|
|
|
|
|
|
|
|
| |
- Make it clear that all generated data, not just user-generated data
should be deleted on factory device reset.
- Clarify that only operating system files on read-only filesystems are
exempt from being deleted.
Bug: 124238463
Test: None
Change-Id: I3cd0bb57ed2c425763b7a50849dc216bc5dcab50
|
|
|
|
|
|
|
|
|
|
| |
- Fixed Section 9.10 by removing C-2-1 due to the introduction of C-0-2
- Fixed typos in other sections
Bug: 112010610
Test: ./cdd_gen.sh --version 9 --branch pie-dev
Change-Id: Ie4003beb20425a7fc83cf68ea23772aca389b85b
|
|\
| |
| |
| |
| | |
Bug: 112189069
Change-Id: I67297b2d6eb189283acb350c1001010f0e9c81d9
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Ensure the consistent security across devices
- Replace the carve-out of secure lock screen with the perf carve-out
for supporting encryption
Test: None
Bug: 71909258
Change-Id: Ied56bb0bdd99e3f27e68c13829073c5982019c74
|
| |\
| | |
| | |
| | | |
through statsd." into pi-dev
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
through statsd.
Enlist required fields to be more specific about what is
needed for developer tools and what is needed for privacy.
Bug: 76161779
Bug: 74125988
Test: None
Change-Id: I4ff9a73f72c3270caaac0f116297d666a58561fb
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Modifying the requirement language for C-0-12(kernel page table isolation)
requirement to add clarity.
Bug: 79088532
Change-Id: If3b3da40b78203c177cb4b833ea49837336a72b7
|
| |\ \
| | | |
| | | |
| | | | |
"android.permission.RECOVER_KEYSTORE"" into pi-dev
|
| | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
"android.permission.RECOVER_KEYSTORE"
- Prevent brute-force attacks on the lockscreen knowledge factor.
Bug: 73599998
Test: None
Change-Id: I8f7fa701b11f015e26429c4683a36d37aa2faa47
|
| |\ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Device implementations with secure hardware may implement the
Android Protected Confirmation API to request the user to
approve a textual message.
Bug: 73001803
Test: n/a
Change-Id: I96c5929b0b4ab99b31a9fe7ca0ac82710f94cdca
|
| |\ \ \
| | |/ /
| |/| | |
|
| | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This CL makes CDD changes that are aimed at providing more explicit
guidance on creating secure biometric based unlocks, and on
consolidating the CDD language for secure lockscreens to make the
authentication model consistent with our security bar.
More specifically, it changes the following things:
(1) A new section similar to "7.3.10 Fingerprint Sensors" that's more
generic and applicable to all biometric sensors. Should have mostly
the same constraints but slightly altered where necessary.
(2) Language that deals with match-on-chip solutions for biometrics.
(3) A new requirement in 9.11 that mandates keeping a minimum
Sleep timeout of at most 15 seconds.
(4) New requirements in "9.11.1 Secure Lock Screens" that:
(a) Constrain what a primary authentication can be.
(b) Adds information related to alternate biometric unlocks and
adhering to the SAR/IAR bar that was introduced in the 8.1 CDD
(c) Adds requirements around 'passive' biometric unlocks like Face
when used to unlock keystore keys.
(d) Clarifies some language around falling back to requiring primary
auth every 72 hours for all non-primary modes of authentication
(5) Removes the API requirement to return false for both the KeyguardManager.isKeyguardSecure() and the KeyguardManager.isDeviceSecure() methods.
Bug: 73723272
Bug: 77656214
Bug: 111053551
Test: --
Change-Id: Iede9eba5ac79de56802cd830c3dc4e521f40e098
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Change STRONGLY RECOMMENDED to MUST for verified boot items and slight
cleanup of language used:
- MUST use tamper-evident storage: for storing whether the bootloader
is unlocked. Tamper-evident storage means that the boot loader can
detect if the storage has been tampered with from inside Android.
- MUST prompt the user, while using the device, and require physical
confirmation before allowing a transition from boot loader locked
mode to boot loader unlocked mode.
- MUST implement rollback protection for the partitions used by
Android (e.g. boot, system partitions) and use tamper-evident
storage for storing the metadata used for determining the minimum
allowable OS version.
Test: n/a
Bug: 72919368
Change-Id: Ifcb0c994cb86f92a422dcde6fa6da1ca064d4ca0
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Tighten the security by supporting StrongBox.
- Clarifying the requirements if StrongBox is supported.
Bug: 73002261
Test: N/A
Change-Id: I9834ced2e697bee013cb0725f31745826da1f0c5
|
| |\ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This CL renames section 9.7 to 'Security Features' (instead of kernel
security features), and adds a new sub-section for userspace specific
security feature advice. There's only a single recommendation in for
P, but we will be using this section to add more details and
recommendations/constraints for Q.
Bug: 73724250
Test: --
Change-Id: If45c5fd9b7668dcafc9ce8dbd2a59b9c4418ca42
|
| |\ \ \ |
|
| | | |/
| | |/|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Tighten the security.
Bug: 73662717
Test: Compiled and inspected HTML
Change-Id: Ib2be403ef2db8525c9ad579a289eca79132696e9
|
| |\ \ \
| | |_|/
| |/| |
| | | | |
into pi-dev
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We remove the low RAM exception for verified boot.
Test: None
Bug: 73374550
Change-Id: I340e8753c8648bbe2a68426123851359d4cba1cb
|
| | | | | |
| | \ \ | |
| |\ \ \ \
| | | |/ /
| | |/| /
| | | |/ |
related to Storage Access Framework (SAF)" into pi-dev
|
| |\ \ \
| | | | |
| | | | |
| | | | | |
ARM" into pi-dev
|
| | | |/
| | |/|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- It's incompatible with PAN emulation for arm32 kernels.
- This is already implicitly tested when checking for
CONFIG_CPU_SW_DOMAIN_PAN.
Bug: 109828784, 74078653, 79088532, 73728376
Test: n/a
Change-Id: Idb6a96d6f8c13a959b4bdc2c5580294beeff2d7c
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Much of the purpose of escrow keys is to allow storage
to be unlocked when a user forgets their LSKF, so we
must allow this in CDD.
Bug: 111561428
Test: Documentation change.
Change-Id: I0de44228e35728713405a8d84ec3b8e6f8a9ecbf
|
| |\ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Android P adds support for extending the protections of Verified Boot
beyond OS partitions to privileged apps that are installed on /data.
This change recommends that device implementations perform
integrity checks of these privileged apps.
Test: None
Bug: 73001552
Change-Id: I773c4ad431ab0f2c16a762ba342653502ea98912
|
| |\ \ \
| | | | |
| | | | |
| | | | | |
incident report" into pi-dev
|
| | | |/
| | |/|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Ensure that the data other than `DEST_AUTO` is not included in the report for
privacy protection. As fields or messages annotated with DEST_AUTO
can be sent by automatic means, without per-sending user consent. The user
still must have previously accepted a consent to share this information.
Bug: 76161779
Test: N/A
Change-Id: I813c96d43395b092ab0e8681893cf205723d26bb
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Ensure that user's private data is protected and is not sent off the device without user's consent.
Bug: 74620344
Change-Id: I41559d7d3903ea3d44d1471abe896ad7698ef6be
Test: N/A
|
|\| |
| | |
| | |
| | |
| | |
| | | |
am: c180b33ab7
Change-Id: I98f56e36e38a6ae993da734547f56bc5985abbaa
|
| |\ \ |
|
| | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- The tightened MUST requirements are applicable for devices that
originally ship with API level 28 and above.
These security requirements provide better protections for the kernel by
mitigating common classes of vulnerabilities and privilege escalation
techniques.
Bug: 74078653
Bug: 79088532
Bug: 73728376
Test: n/a
Change-Id: I62450948e5474939d94b22b280d11a6d56e35f3e
|
|\| |
| | |
| | |
| | |
| | |
| | | |
am: 3240eddfe2
Change-Id: I7824a7cb89d99f2b4b3ccfe2d74756f3ad63ee93
|