Add "Unlocked device required" key API

Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed

Bug: 67752510

Merged-In: I94d8bc5543d00d28064c6e555b38823b70dbfbe6
Change-Id: I94d8bc5543d00d28064c6e555b38823b70dbfbe6
(cherry picked from commit a47bb104965af5dac21bb128adf67932ee05e8e4)

1 files changed, 3 insertions, 0 deletions

diff --git a/include/hardware/keymaster_defs.h b/include/hardware/keymaster_defs.h
index 6e812f29..cec486e7 100644
--- a/include/hardware/keymaster_defs.h
+++ b/include/hardware/keymaster_defs.h
@@ -112,6 +112,8 @@ typedef enum {
     KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506, /* Allow key to be used after authentication timeout
                                                  * if device is still on-body (requires secure
                                                  * on-body sensor. */
+    KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 508, /* Require the device screen to be unlocked if the
+                                                      * key is used. */
 
     /* Application access control */
     KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600, /* Specified to indicate key is usable by all
@@ -452,6 +454,7 @@ typedef enum {
     KM_ERROR_KEYMASTER_NOT_CONFIGURED = -64,
     KM_ERROR_ATTESTATION_APPLICATION_ID_MISSING = -65,
     KM_ERROR_CANNOT_ATTEST_IDS = -66,
+    KM_ERROR_DEVICE_LOCKED = -72,
 
     KM_ERROR_UNIMPLEMENTED = -100,
     KM_ERROR_VERSION_MISMATCH = -101,