typedef enum {
KM_TAG_INVALID = KM_INVALID | 0,
/*
* Tags that must be semantically enforced by hardware and software implementations.
*/
/* Crypto parameters */
KM_TAG_PURPOSE = KM_ENUM_REP | 1, /* keymaster_purpose_t. */
KM_TAG_ALGORITHM = KM_ENUM | 2, /* keymaster_algorithm_t. */
KM_TAG_KEY_SIZE = KM_UINT | 3, /* Key size in bits. */
KM_TAG_BLOCK_MODE = KM_ENUM_REP | 4, /* keymaster_block_mode_t. */
KM_TAG_DIGEST = KM_ENUM_REP | 5, /* keymaster_digest_t. */
KM_TAG_PADDING = KM_ENUM_REP | 6, /* keymaster_padding_t. */
KM_TAG_CALLER_NONCE = KM_BOOL | 7, /* Allow caller to specify nonce or IV. */
KM_TAG_MIN_MAC_LENGTH = KM_UINT | 8, /* Minimum length of MAC or AEAD authentication tag in
* bits. */
KM_TAG_KDF = KM_ENUM_REP | 9, /* keymaster_kdf_t (keymaster2) */
KM_TAG_EC_CURVE = KM_ENUM | 10, /* keymaster_ec_curve_t (keymaster2) */
/* Algorithm-specific. */
KM_TAG_RSA_PUBLIC_EXPONENT = KM_ULONG | 200,
KM_TAG_ECIES_SINGLE_HASH_MODE = KM_BOOL | 201, /* Whether the ephemeral public key is fed into
* the KDF */
KM_TAG_INCLUDE_UNIQUE_ID = KM_BOOL | 202, /* If true, attestation certificates for this key
* will contain an application-scoped and
* time-bounded device-unique ID. (keymaster2) */
/* Other hardware-enforced. */
KM_TAG_BLOB_USAGE_REQUIREMENTS = KM_ENUM | 301, /* keymaster_key_blob_usage_requirements_t */
KM_TAG_BOOTLOADER_ONLY = KM_BOOL | 302, /* Usable only by bootloader */
KM_TAG_ROLLBACK_RESISTANCE = KM_BOOL | 303, /* Hardware enforced deletion with deleteKey
* or deleteAllKeys is supported */
KM_TAG_EARLY_BOOT_ONLY = KM_BOOL | 305, /* Key can only be used during early boot. */
/*
* Tags that should be semantically enforced by hardware if possible and will otherwise be
* enforced by software (keystore).
*/
/* Key validity period */
KM_TAG_ACTIVE_DATETIME = KM_DATE | 400, /* Start of validity */
KM_TAG_ORIGINATION_EXPIRE_DATETIME = KM_DATE | 401, /* Date when new "messages" should no
longer be created. */
KM_TAG_USAGE_EXPIRE_DATETIME = KM_DATE | 402, /* Date when existing "messages" should no
longer be trusted. */
KM_TAG_MIN_SECONDS_BETWEEN_OPS = KM_UINT | 403, /* Minimum elapsed time between
cryptographic operations with the key. */
KM_TAG_MAX_USES_PER_BOOT = KM_UINT | 404, /* Number of times the key can be used per
boot. */
/* User authentication */
KM_TAG_ALL_USERS = KM_BOOL | 500, /* Reserved for future use -- ignore */
KM_TAG_USER_ID = KM_UINT | 501, /* Reserved for future use -- ignore */
KM_TAG_USER_SECURE_ID = KM_ULONG_REP | 502, /* Secure ID of authorized user or authenticator(s).
Disallowed if KM_TAG_ALL_USERS or
KM_TAG_NO_AUTH_REQUIRED is present. */
KM_TAG_NO_AUTH_REQUIRED = KM_BOOL | 503, /* If key is usable without authentication. */
KM_TAG_USER_AUTH_TYPE = KM_ENUM | 504, /* Bitmask of authenticator types allowed when
* KM_TAG_USER_SECURE_ID contains a secure user ID,
* rather than a secure authenticator ID. Defined in
* hw_authenticator_type_t in hw_auth_token.h. */
KM_TAG_AUTH_TIMEOUT = KM_UINT | 505, /* Required freshness of user authentication for
private/secret key operations, in seconds.
Public key operations require no authentication.
If absent, authentication is required for every
use. Authentication state is lost when the
device is powered off. */
KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506, /* Allow key to be used after authentication timeout
* if device is still on-body (requires secure
* on-body sensor. */
KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508, /* Require user confirmation through a
* trusted UI to use this key */
KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509, /* Require the device screen to be unlocked if the
* key is used. */
/* Application access control */
KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600, /* Specified to indicate key is usable by all
* applications. */
KM_TAG_APPLICATION_ID = KM_BYTES | 601, /* Byte string identifying the authorized
* application. */
KM_TAG_EXPORTABLE = KM_BOOL | 602, /* If true, private/secret key can be exported, but
* only if all access control requirements for use are
* met. (keymaster2) */
/*
* Semantically unenforceable tags, either because they have no specific meaning or because
* they're informational only.
*/
KM_TAG_APPLICATION_DATA = KM_BYTES | 700, /* Data provided by authorized application. */
KM_TAG_CREATION_DATETIME = KM_DATE | 701, /* Key creation time */
KM_TAG_ORIGIN = KM_ENUM | 702, /* keymaster_key_origin_t. */
KM_TAG_ROLLBACK_RESISTANT = KM_BOOL | 703, /* Whether key is rollback-resistant. */
KM_TAG_ROOT_OF_TRUST = KM_BYTES | 704, /* Root of trust ID. */
KM_TAG_OS_VERSION = KM_UINT | 705, /* Version of system (keymaster2) */
KM_TAG_OS_PATCHLEVEL = KM_UINT | 706, /* Patch level of system (keymaster2) */
KM_TAG_UNIQUE_ID = KM_BYTES | 707, /* Used to provide unique ID in attestation */
KM_TAG_ATTESTATION_CHALLENGE = KM_BYTES | 708, /* Used to provide challenge in attestation */
KM_TAG_ATTESTATION_APPLICATION_ID = KM_BYTES | 709, /* Used to identify the set of possible
* applications of which one has initiated
* a key attestation */
KM_TAG_ATTESTATION_ID_BRAND = KM_BYTES | 710, /* Used to provide the device's brand name to be
included in attestation */
KM_TAG_ATTESTATION_ID_DEVICE = KM_BYTES | 711, /* Used to provide the device's device name to be
included in attestation */
KM_TAG_ATTESTATION_ID_PRODUCT = KM_BYTES | 712, /* Used to provide the device's product name to
be included in attestation */
KM_TAG_ATTESTATION_ID_SERIAL = KM_BYTES | 713, /* Used to provide the device's serial number to
be included in attestation */
KM_TAG_ATTESTATION_ID_IMEI = KM_BYTES | 714, /* Used to provide the device's IMEI to be
included in attestation */
KM_TAG_ATTESTATION_ID_MEID = KM_BYTES | 715, /* Used to provide the device's MEID to be
included in attestation */
KM_TAG_ATTESTATION_ID_MANUFACTURER = KM_BYTES | 716, /* Used to provide the device's
manufacturer name to be included in
attestation */
KM_TAG_ATTESTATION_ID_MODEL = KM_BYTES | 717, /* Used to provide the device's model name to be
included in attestation */
KM_TAG_DEVICE_UNIQUE_ATTESTATION = KM_BOOL | 720, /* Indicates StrongBox device-unique attestation
is requested. */
KM_TAG_IDENTITY_CREDENTIAL_KEY = KM_BOOL | 721, /* This is an identity credential key */
/* Tags used only to provide data to or receive data from operations */
KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000, /* Used to provide associated data for AEAD modes. */
KM_TAG_NONCE = KM_BYTES | 1001, /* Nonce or Initialization Vector */
KM_TAG_AUTH_TOKEN = KM_BYTES | 1002, /* Authentication token that proves secure user
authentication has been performed. Structure
defined in hw_auth_token_t in hw_auth_token.h. */
KM_TAG_MAC_LENGTH = KM_UINT | 1003, /* MAC or AEAD authentication tag length in
* bits. */
KM_TAG_RESET_SINCE_ID_ROTATION = KM_BOOL | 1004, /* Whether the device has beeen factory reset
since the last unique ID rotation. Used for
key attestation. */
} keymaster_tag_t;
KM_TAG_INVALID = 0x0
KM_TAG_PURPOSE = 0x20000001
KM_TAG_ALGORITHM = 0x10000002
KM_TAG_KEY_SIZE = 0x30000003
KM_TAG_BLOCK_MODE = 0x20000004
KM_TAG_DIGEST = 0x20000005
KM_TAG_PADDING = 0x20000006
KM_TAG_CALLER_NONCE = 0x70000007
KM_TAG_MIN_MAC_LENGTH = 0x30000008
KM_TAG_KDF = 0x20000009
KM_TAG_EC_CURVE = 0x1000000a
KM_TAG_RSA_PUBLIC_EXPONENT = 0x500000c8
KM_TAG_ECIES_SINGLE_HASH_MODE = 0x700000c9
KM_TAG_INCLUDE_UNIQUE_ID = 0x700000ca
KM_TAG_BLOB_USAGE_REQUIREMENTS = 0x1000012d
KM_TAG_BOOTLOADER_ONLY = 0x7000012e
KM_TAG_ACTIVE_DATETIME = 0x60000190
KM_TAG_ORIGINATION_EXPIRE_DATETIME = 0x60000191
KM_TAG_USAGE_EXPIRE_DATETIME = 0x60000192
KM_TAG_MIN_SECONDS_BETWEEN_OPS = 0x30000193
KM_TAG_MAX_USES_PER_BOOT = 0x30000194
KM_TAG_ALL_USERS = 0x700001f4
KM_TAG_USER_ID = 0x300001f5
KM_TAG_USER_SECURE_ID = 0xa00001f6
KM_TAG_NO_AUTH_REQUIRED = 0x700001f7
KM_TAG_USER_AUTH_TYPE = 0x100001f8
KM_TAG_AUTH_TIMEOUT = 0x300001f9
KM_TAG_ALLOW_WHILE_ON_BODY = 0x700001fa
KM_TAG_ALL_APPLICATIONS = 0x70000258
KM_TAG_APPLICATION_ID = 0x90000259
KM_TAG_EXPORTABLE = 0x7000025a
KM_TAG_APPLICATION_DATA = 0x900002bc
KM_TAG_CREATION_DATETIME = 0x600002bd
KM_TAG_ORIGIN = 0x100002be
KM_TAG_ROLLBACK_RESISTANT = 0x700002bf
KM_TAG_ROOT_OF_TRUST = 0x900002c0
KM_TAG_OS_VERSION = 0x300002c1
KM_TAG_OS_PATCHLEVEL = 0x300002c2
KM_TAG_UNIQUE_ID = 0x900002c3
KM_TAG_ATTESTATION_CHALLENGE = 0x900002c4
KM_TAG_ATTESTATION_APPLICATION_ID = 0x900002c5
KM_TAG_ATTESTATION_ID_BRAND = 0x900002c6
KM_TAG_ATTESTATION_ID_DEVICE = 0x900002c7
KM_TAG_ATTESTATION_ID_PRODUCT = 0x900002c8
KM_TAG_ATTESTATION_ID_SERIAL = 0x900002c9
KM_TAG_ATTESTATION_ID_IMEI = 0x900002ca
KM_TAG_ATTESTATION_ID_MEID = 0x900002cb
KM_TAG_ATTESTATION_ID_MANUFACTURER = 0x900002cc
KM_TAG_ATTESTATION_ID_MODEL = 0x900002cd
KM_TAG_ASSOCIATED_DATA = 0x900003e8
KM_TAG_NONCE = 0x900003e9
KM_TAG_AUTH_TOKEN = 0x900003ea
KM_TAG_MAC_LENGTH = 0x300003eb
KM_TAG_RESET_SINCE_ID_ROTATION = 0x700003ec
