Merge "Keystore 2.0: Introduce deleteKey to IKeystoreSecurityLevel" am: f18f82af7d am: d97f934cd8

Original change: https://android-review.googlesource.com/c/platform/system/hardware/interfaces/+/1623126

Change-Id: I77fbcb839038b037997fe249e23694a1df65212e

3 files changed, 23 insertions, 1 deletions

diff --git a/keystore2/aidl/aidl_api/android.system.keystore2/current/android/system/keystore2/IKeystoreSecurityLevel.aidl b/keystore2/aidl/aidl_api/android.system.keystore2/current/android/system/keystore2/IKeystoreSecurityLevel.aidl
index 1cbcb665..5e53f6dd 100644
--- a/keystore2/aidl/aidl_api/android.system.keystore2/current/android/system/keystore2/IKeystoreSecurityLevel.aidl
+++ b/keystore2/aidl/aidl_api/android.system.keystore2/current/android/system/keystore2/IKeystoreSecurityLevel.aidl
@@ -40,5 +40,6 @@ interface IKeystoreSecurityLevel {
   android.system.keystore2.KeyMetadata importKey(in android.system.keystore2.KeyDescriptor key, in @nullable android.system.keystore2.KeyDescriptor attestationKey, in android.hardware.security.keymint.KeyParameter[] params, in int flags, in byte[] keyData);
   android.system.keystore2.KeyMetadata importWrappedKey(in android.system.keystore2.KeyDescriptor key, in android.system.keystore2.KeyDescriptor wrappingKey, in @nullable byte[] maskingKey, in android.hardware.security.keymint.KeyParameter[] params, in android.system.keystore2.AuthenticatorSpec[] authenticators);
   byte[] convertStorageKeyToEphemeral(in android.system.keystore2.KeyDescriptor storageKey);
+  void deleteKey(in android.system.keystore2.KeyDescriptor key);
   const int KEY_FLAG_AUTH_BOUND_WITHOUT_CRYPTOGRAPHIC_LSKF_BINDING = 1;
 }
diff --git a/keystore2/aidl/android/system/keystore2/IKeystoreSecurityLevel.aidl b/keystore2/aidl/android/system/keystore2/IKeystoreSecurityLevel.aidl
index d2c4c7b9..40e20cc6 100644
--- a/keystore2/aidl/android/system/keystore2/IKeystoreSecurityLevel.aidl
+++ b/keystore2/aidl/android/system/keystore2/IKeystoreSecurityLevel.aidl
@@ -191,4 +191,22 @@ interface IKeystoreSecurityLevel {
      * @return byte[] representing the wrapped per-boot ephemeral key.
      */
     byte[] convertStorageKeyToEphemeral(in KeyDescriptor storageKey);
+
+    /**
+     * Allows deleting a Domain::BLOB key from the backend underlying this IKeystoreSecurityLevel.
+     * While there's another function "deleteKey()" in IKeystoreService, that function doesn't
+     * handle Domain::BLOB keys because it doesn't have any information about which underlying
+     * device to actually delete the key blob from.
+     *
+     * ## Error conditions
+     * `ResponseCode::PERMISSION_DENIED` if the caller does not have the permission `DELETE`
+     *               for the designated key, or the "MANAGE_BLOB" permission to manage
+     *               Domain::BLOB keys.
+     * `ResponseCode::INVALID_ARGUMENT` if key.domain != Domain::BLOB or key.blob isn't specified.
+     *
+     * A KeyMint ErrorCode may be returned indicating a backend diagnosed error.
+     *
+     * @param KeyDescriptor representing the key to delete.
+     */
+    void deleteKey(in KeyDescriptor key);
 }
diff --git a/keystore2/aidl/android/system/keystore2/IKeystoreService.aidl b/keystore2/aidl/android/system/keystore2/IKeystoreService.aidl
index 723954b8..f20a0e17 100644
--- a/keystore2/aidl/android/system/keystore2/IKeystoreService.aidl
+++ b/keystore2/aidl/android/system/keystore2/IKeystoreService.aidl
@@ -134,7 +134,10 @@ interface IKeystoreService {
     KeyDescriptor[] listEntries(in Domain domain, in long nspace);
 
     /**
-     * Deletes the designated key.
+     * Deletes the designated key. This method can be used on keys with any domain except
+     * Domain::BLOB, since keystore knows which security level any non Domain::BLOB key
+     * belongs to. To delete Domain::BLOB keys, use IKeystoreSecurityLevel::deleteKey()
+     * instead.
      *
      * ## Error conditions
      * `ResponseCode::KEY_NOT_FOUND` if the key designated by `key` did not exist.