Add "Unlocked device required" parameter to keys

Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: go/asym-write-test-plan

Bug: 67752510

Change-Id: I100e55de7080edb2bd705c2ab9d116f72bac97f8

2 files changed, 2 insertions, 0 deletions

diff --git a/include/keymaster/attestation_record.h b/include/keymaster/attestation_record.h
index 604e391..c7facd3 100644
--- a/include/keymaster/attestation_record.h
+++ b/include/keymaster/attestation_record.h
@@ -71,6 +71,7 @@ typedef struct km_auth_list {
     ASN1_INTEGER* user_auth_type;
     ASN1_INTEGER* auth_timeout;
     ASN1_NULL* allow_while_on_body;
+    ASN1_NULL* unlocked_device_required;
     ASN1_NULL* all_applications;
     ASN1_OCTET_STRING* application_id;
     ASN1_INTEGER* creation_date_time;
diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h
index ad072ec..9908119 100644
--- a/include/keymaster/keymaster_tags.h
+++ b/include/keymaster/keymaster_tags.h
@@ -151,6 +151,7 @@ DECLARE_KEYMASTER_TAG(KM_ULONG_REP, TAG_USER_SECURE_ID);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_NO_AUTH_REQUIRED);
 DECLARE_KEYMASTER_TAG(KM_UINT, TAG_AUTH_TIMEOUT);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALLOW_WHILE_ON_BODY);
+DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_UNLOCKED_DEVICE_REQUIRED);
 DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ALL_APPLICATIONS);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_ID);
 DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_DATA);