Add "unlocked device required" API

Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

This is the API only, full functionality will be added in a later
commit.

Test: CTS tests in CtsKeystoreTestCases

Bug: 67752510

Merged-In: I967193e7f3be4f7a4ddea004b9b203fe035a5d44
Change-Id: I967193e7f3be4f7a4ddea004b9b203fe035a5d44
(cherry picked from commit c9c285e340c42b6c356135bef822f8ed54968019)

4 files changed, 14 insertions, 2 deletions

diff --git a/android_keymaster/keymaster_enforcement.cpp b/android_keymaster/keymaster_enforcement.cpp
index ccb20f0..e8bc2b2 100644
--- a/android_keymaster/keymaster_enforcement.cpp
+++ b/android_keymaster/keymaster_enforcement.cpp
@@ -182,8 +182,9 @@ KeymasterEnforcement::AuthorizeUpdateOrFinish(const AuthProxy& auth_set,
         }
     }
 
-    if (authentication_required)
+    if (authentication_required) {
         return KM_ERROR_KEY_USER_NOT_AUTHENTICATED;
+    }
 
     return KM_ERROR_OK;
 }
@@ -337,7 +338,6 @@ keymaster_error_t KeymasterEnforcement::AuthorizeBegin(const keymaster_purpose_t
         case KM_TAG_OS_PATCHLEVEL:
 
         /* Ignored pending removal */
-        case KM_TAG_USER_ID:
         case KM_TAG_ALL_USERS:
 
         /* TODO(swillden): Handle these */
@@ -347,6 +347,12 @@ keymaster_error_t KeymasterEnforcement::AuthorizeBegin(const keymaster_purpose_t
         case KM_TAG_ALLOW_WHILE_ON_BODY:
             break;
 
+        /* TODO(bcyoung): This is currently handled in keystore, but may move to keymaster in the
+         * future */
+        case KM_TAG_USER_ID:
+        case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
+            break;
+
         case KM_TAG_BOOTLOADER_ONLY:
             return KM_ERROR_INVALID_KEY_BLOB;
         }
diff --git a/android_keymaster/keymaster_tags.cpp b/android_keymaster/keymaster_tags.cpp
index 2375389..27b67c8 100644
--- a/android_keymaster/keymaster_tags.cpp
+++ b/android_keymaster/keymaster_tags.cpp
@@ -109,6 +109,8 @@ const char* StringifyTag(keymaster_tag_t tag) {
         return "KM_TAG_RESET_SINCE_ID_ROTATION";
     case KM_TAG_ALLOW_WHILE_ON_BODY:
         return "KM_TAG_ALLOW_WHILE_ON_BODY";
+    case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
+        return "KM_TAG_UNLOCKED_DEVICE_REQUIRED";
     case KM_TAG_ATTESTATION_CHALLENGE:
         return "KM_TAG_ATTESTATION_CHALLENGE";
     case KM_TAG_ATTESTATION_APPLICATION_ID:
diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h
index ad072ec..9908119 100644
--- a/include/keymaster/keymaster_tags.h
+++ b/include/keymaster/keymaster_tags.h
@@ -151,6 +151,7 @@ DECLARE_KEYMASTER_TAG(KM_ULONG_REP, TAG_USER_SECURE_ID);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_NO_AUTH_REQUIRED);
 DECLARE_KEYMASTER_TAG(KM_UINT, TAG_AUTH_TIMEOUT);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALLOW_WHILE_ON_BODY);
+DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALL_APPLICATIONS);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_ID);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_DATA);
diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp
index c4a1afc..3305896 100644
--- a/km_openssl/attestation_record.cpp
+++ b/km_openssl/attestation_record.cpp
@@ -223,6 +223,9 @@ keymaster_error_t build_auth_list(const AuthorizationSet& auth_list, KM_AUTH_LIS
         case KM_TAG_ALLOW_WHILE_ON_BODY:
             bool_ptr = &record->allow_while_on_body;
             break;
+        case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
+            // TODO(67752510)
+            break;
         case KM_TAG_CALLER_NONCE:
             bool_ptr = &record->caller_nonce;
             break;