diff options
author | TreeHugger Robot | 2018-05-31 11:49:10 -0500 |
---|---|---|
committer | Android (Google) Code Review | 2018-05-31 11:49:10 -0500 |
commit | 8bac8dcba533d8b50fe4780f072c55554b0f845a (patch) | |
tree | dfb63a2d908c6177c3aaf52e85b9ca20500551c2 | |
parent | 739c3177ea3228a26ae7a8293158f417d6105dff (diff) | |
parent | 5b60a1b72e261cd1799a487dd960ddf0cc2e06e5 (diff) | |
download | platform-hardware-interfaces-8bac8dcba533d8b50fe4780f072c55554b0f845a.tar.gz platform-hardware-interfaces-8bac8dcba533d8b50fe4780f072c55554b0f845a.tar.xz platform-hardware-interfaces-8bac8dcba533d8b50fe4780f072c55554b0f845a.zip |
Merge "Minor corrections to the Keymaster4 documentation." into pi-dev
-rw-r--r-- | current.txt | 4 | ||||
-rw-r--r-- | keymaster/4.0/IKeymasterDevice.hal | 21 | ||||
-rw-r--r-- | keymaster/4.0/types.hal | 49 |
3 files changed, 41 insertions, 33 deletions
diff --git a/current.txt b/current.txt index 413efae2..9ddfdb63 100644 --- a/current.txt +++ b/current.txt | |||
@@ -347,8 +347,8 @@ dd83be076b6b3f10ed62ab34d8c8b95f2415961fb785200eb842e7bfb2b0ee92 android.hardwar | |||
347 | 675682dd3007805c985eaaec91612abc88f4c25b3431fb84070b7584a1a741fb android.hardware.health@2.0::IHealth | 347 | 675682dd3007805c985eaaec91612abc88f4c25b3431fb84070b7584a1a741fb android.hardware.health@2.0::IHealth |
348 | 434c4c32c00b0e54bb05e40c79503208b40f786a318029a2a4f66e34f10f2a76 android.hardware.health@2.0::IHealthInfoCallback | 348 | 434c4c32c00b0e54bb05e40c79503208b40f786a318029a2a4f66e34f10f2a76 android.hardware.health@2.0::IHealthInfoCallback |
349 | c9e498f1ade5e26f00d290b4763a9671ec6720f915e7d592844b62e8cb1f9b5c android.hardware.health@2.0::types | 349 | c9e498f1ade5e26f00d290b4763a9671ec6720f915e7d592844b62e8cb1f9b5c android.hardware.health@2.0::types |
350 | 5c8e06f9945276d1a9e8f7e37cf0ea8894bdb906fa80809cb06c36abb39afc4f android.hardware.keymaster@4.0::IKeymasterDevice | 350 | 201f9723353fdbd40bf3705537fb7e015e4c399879425e68688fe0f43606ea4d android.hardware.keymaster@4.0::IKeymasterDevice |
351 | 6695eb5744108035506004dd136068b1aaebe809cf9d4a69c2fe33b73058bb85 android.hardware.keymaster@4.0::types | 351 | 1b7d2090c0a28b229d37c4b96160796b1f0d703950ac6ccc163fccd280830503 android.hardware.keymaster@4.0::types |
352 | 6d5c646a83538f0f9d8438c259932509f4353410c6c76e56db0d6ca98b69c3bb android.hardware.media.bufferpool@1.0::IAccessor | 352 | 6d5c646a83538f0f9d8438c259932509f4353410c6c76e56db0d6ca98b69c3bb android.hardware.media.bufferpool@1.0::IAccessor |
353 | b8c7ed58aa8740361e63d0ce9e7c94227572a629f356958840b34809d2393a7c android.hardware.media.bufferpool@1.0::IClientManager | 353 | b8c7ed58aa8740361e63d0ce9e7c94227572a629f356958840b34809d2393a7c android.hardware.media.bufferpool@1.0::IClientManager |
354 | 4a2c0dc82780e6c90731725a103feab8ab6ecf85a64e049b9cbd2b2c61620fe1 android.hardware.media.bufferpool@1.0::IConnection | 354 | 4a2c0dc82780e6c90731725a103feab8ab6ecf85a64e049b9cbd2b2c61620fe1 android.hardware.media.bufferpool@1.0::IConnection |
diff --git a/keymaster/4.0/IKeymasterDevice.hal b/keymaster/4.0/IKeymasterDevice.hal index 6c09ef33..74d13d8b 100644 --- a/keymaster/4.0/IKeymasterDevice.hal +++ b/keymaster/4.0/IKeymasterDevice.hal | |||
@@ -217,8 +217,8 @@ interface IKeymasterDevice { | |||
217 | * must be a TEE Keymaster as well. The HMAC key used to MAC and verify authentication tokens | 217 | * must be a TEE Keymaster as well. The HMAC key used to MAC and verify authentication tokens |
218 | * (HardwareAuthToken, VerificationToken and ConfirmationToken all use this HMAC key) must be | 218 | * (HardwareAuthToken, VerificationToken and ConfirmationToken all use this HMAC key) must be |
219 | * shared between TEE and StrongBox so they can each validate tokens produced by the other. | 219 | * shared between TEE and StrongBox so they can each validate tokens produced by the other. |
220 | * This method is the first step in the process for for agreeing on a shared key. It is called | 220 | * This method is the first step in the process for agreeing on a shared key. It is called by |
221 | * by Android during startup. The system calls it on each of the HAL instances and collects the | 221 | * Android during startup. The system calls it on each of the HAL instances and collects the |
222 | * results in preparation for the second step. | 222 | * results in preparation for the second step. |
223 | * | 223 | * |
224 | * @return error ErrorCode::OK on success, ErrorCode::UNIMPLEMENTED if HMAC agreement is not | 224 | * @return error ErrorCode::OK on success, ErrorCode::UNIMPLEMENTED if HMAC agreement is not |
@@ -324,7 +324,7 @@ interface IKeymasterDevice { | |||
324 | * sharingCheck = HMAC(H, "Keymaster HMAC Verification") | 324 | * sharingCheck = HMAC(H, "Keymaster HMAC Verification") |
325 | * | 325 | * |
326 | * The string is UTF-8 encoded, 27 bytes in length. If the returned values of all | 326 | * The string is UTF-8 encoded, 27 bytes in length. If the returned values of all |
327 | * IKeymasterDevice instances don't match, Keystore will assume that HMAC agreement | 327 | * IKeymasterDevice instances don't match, clients must assume that HMAC agreement |
328 | * failed. | 328 | * failed. |
329 | */ | 329 | */ |
330 | computeSharedHmac(vec<HmacSharingParameters> params) | 330 | computeSharedHmac(vec<HmacSharingParameters> params) |
@@ -718,16 +718,19 @@ interface IKeymasterDevice { | |||
718 | * AuthorizationList ::= SEQUENCE { | 718 | * AuthorizationList ::= SEQUENCE { |
719 | * purpose [1] EXPLICIT SET OF INTEGER OPTIONAL, | 719 | * purpose [1] EXPLICIT SET OF INTEGER OPTIONAL, |
720 | * algorithm [2] EXPLICIT INTEGER OPTIONAL, | 720 | * algorithm [2] EXPLICIT INTEGER OPTIONAL, |
721 | * keySize [3] EXPLICIT INTEGER OPTIONAL. | 721 | * keySize [3] EXPLICIT INTEGER OPTIONAL, |
722 | * blockMode [4] EXPLICIT SET OF INTEGER OPTIONAL, | 722 | * blockMode [4] EXPLICIT SET OF INTEGER OPTIONAL, |
723 | * digest [5] EXPLICIT SET OF INTEGER OPTIONAL, | 723 | * digest [5] EXPLICIT SET OF INTEGER OPTIONAL, |
724 | * padding [6] EXPLICIT SET OF INTEGER OPTIONAL, | 724 | * padding [6] EXPLICIT SET OF INTEGER OPTIONAL, |
725 | * callerNonce [7] EXPLICIT NULL OPTIONAL, | ||
726 | * minMacLength [8] EXPLICIT INTEGER OPTIONAL, | ||
725 | * ecCurve [10] EXPLICIT INTEGER OPTIONAL, | 727 | * ecCurve [10] EXPLICIT INTEGER OPTIONAL, |
726 | * rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL, | 728 | * rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL, |
727 | * rollbackResistance [303] EXPLICIT NULL OPTIONAL, | 729 | * rollbackResistance [303] EXPLICIT NULL OPTIONAL, |
728 | * activeDateTime [400] EXPLICIT INTEGER OPTIONAL | 730 | * activeDateTime [400] EXPLICIT INTEGER OPTIONAL, |
729 | * originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL | 731 | * originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL, |
730 | * usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL | 732 | * usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL, |
733 | * userSecureId [502] EXPLICIT INTEGER OPTIONAL, | ||
731 | * noAuthRequired [503] EXPLICIT NULL OPTIONAL, | 734 | * noAuthRequired [503] EXPLICIT NULL OPTIONAL, |
732 | * userAuthType [504] EXPLICIT INTEGER OPTIONAL, | 735 | * userAuthType [504] EXPLICIT INTEGER OPTIONAL, |
733 | * authTimeout [505] EXPLICIT INTEGER OPTIONAL, | 736 | * authTimeout [505] EXPLICIT INTEGER OPTIONAL, |
@@ -735,15 +738,11 @@ interface IKeymasterDevice { | |||
735 | * trustedUserPresenceReq [507] EXPLICIT NULL OPTIONAL, | 738 | * trustedUserPresenceReq [507] EXPLICIT NULL OPTIONAL, |
736 | * trustedConfirmationReq [508] EXPLICIT NULL OPTIONAL, | 739 | * trustedConfirmationReq [508] EXPLICIT NULL OPTIONAL, |
737 | * unlockedDeviceReq [509] EXPLICIT NULL OPTIONAL, | 740 | * unlockedDeviceReq [509] EXPLICIT NULL OPTIONAL, |
738 | * allApplications [600] EXPLICIT NULL OPTIONAL, | ||
739 | * applicationId [601] EXPLICIT OCTET_STRING OPTIONAL, | ||
740 | * creationDateTime [701] EXPLICIT INTEGER OPTIONAL, | 741 | * creationDateTime [701] EXPLICIT INTEGER OPTIONAL, |
741 | * origin [702] EXPLICIT INTEGER OPTIONAL, | 742 | * origin [702] EXPLICIT INTEGER OPTIONAL, |
742 | * rollbackResistant [703] EXPLICIT NULL OPTIONAL, | ||
743 | * rootOfTrust [704] EXPLICIT RootOfTrust OPTIONAL, | 743 | * rootOfTrust [704] EXPLICIT RootOfTrust OPTIONAL, |
744 | * osVersion [705] EXPLICIT INTEGER OPTIONAL, | 744 | * osVersion [705] EXPLICIT INTEGER OPTIONAL, |
745 | * osPatchLevel [706] EXPLICIT INTEGER OPTIONAL, | 745 | * osPatchLevel [706] EXPLICIT INTEGER OPTIONAL, |
746 | * attestationChallenge [708] EXPLICIT OCTET_STRING OPTIONAL, | ||
747 | * attestationApplicationId [709] EXPLICIT OCTET_STRING OPTIONAL, | 746 | * attestationApplicationId [709] EXPLICIT OCTET_STRING OPTIONAL, |
748 | * attestationIdBrand [710] EXPLICIT OCTET_STRING OPTIONAL, | 747 | * attestationIdBrand [710] EXPLICIT OCTET_STRING OPTIONAL, |
749 | * attestationIdDevice [711] EXPLICIT OCTET_STRING OPTIONAL, | 748 | * attestationIdDevice [711] EXPLICIT OCTET_STRING OPTIONAL, |
diff --git a/keymaster/4.0/types.hal b/keymaster/4.0/types.hal index 85f181ac..94dfec55 100644 --- a/keymaster/4.0/types.hal +++ b/keymaster/4.0/types.hal | |||
@@ -460,6 +460,8 @@ enum Tag : uint32_t { | |||
460 | * called on one key with TRUSTED_USER_PRESENCE_REQUIRED, and another begin() comes in for that | 460 | * called on one key with TRUSTED_USER_PRESENCE_REQUIRED, and another begin() comes in for that |
461 | * key or another with TRUSTED_USER_PRESENCE_REQUIRED, Keymaster must return | 461 | * key or another with TRUSTED_USER_PRESENCE_REQUIRED, Keymaster must return |
462 | * ErrorCode::CONCURRENT_PROOF_OF_PRESENCE_REQUESTED. | 462 | * ErrorCode::CONCURRENT_PROOF_OF_PRESENCE_REQUESTED. |
463 | * | ||
464 | * Must be hardware-enforced. | ||
463 | */ | 465 | */ |
464 | TRUSTED_USER_PRESENCE_REQUIRED = TagType:BOOL | 507, | 466 | TRUSTED_USER_PRESENCE_REQUIRED = TagType:BOOL | 507, |
465 | 467 | ||
@@ -470,11 +472,17 @@ enum Tag : uint32_t { | |||
470 | * | 472 | * |
471 | * If an attempt to use a key with this tag does not have a cryptographically valid | 473 | * If an attempt to use a key with this tag does not have a cryptographically valid |
472 | * CONFIRMATION_TOKEN provided to finish() or if the data provided to update()/finish() does not | 474 | * CONFIRMATION_TOKEN provided to finish() or if the data provided to update()/finish() does not |
473 | * match the data described in the token, keymaster must return NO_USER_CONFIRMATION. */ | 475 | * match the data described in the token, keymaster must return NO_USER_CONFIRMATION. |
476 | * | ||
477 | * Must be hardware-enforced. | ||
478 | */ | ||
474 | TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL | 508, | 479 | TRUSTED_CONFIRMATION_REQUIRED = TagType:BOOL | 508, |
475 | 480 | ||
476 | /** | 481 | /** |
482 | * Tag::UNLOCKED_DEVICE_REQUIRED specifies that the key may only be used when the device is | ||
483 | * unlocked. | ||
477 | * | 484 | * |
485 | * Must be software-enforced. | ||
478 | */ | 486 | */ |
479 | UNLOCKED_DEVICE_REQUIRED = TagType:BOOL | 509, | 487 | UNLOCKED_DEVICE_REQUIRED = TagType:BOOL | 509, |
480 | 488 | ||
@@ -490,7 +498,7 @@ enum Tag : uint32_t { | |||
490 | * access to the tag content to decrypt the key without brute-forcing the tag content, which | 498 | * access to the tag content to decrypt the key without brute-forcing the tag content, which |
491 | * applications can prevent by specifying sufficiently high-entropy content. | 499 | * applications can prevent by specifying sufficiently high-entropy content. |
492 | * | 500 | * |
493 | * Must be hardware-enforced. | 501 | * Must never appear in KeyCharacteristics. |
494 | */ | 502 | */ |
495 | APPLICATION_ID = TagType:BYTES | 601, | 503 | APPLICATION_ID = TagType:BYTES | 601, |
496 | 504 | ||
@@ -511,7 +519,7 @@ enum Tag : uint32_t { | |||
511 | * access to the tag content to decrypt the key without brute-forcing the tag content, which | 519 | * access to the tag content to decrypt the key without brute-forcing the tag content, which |
512 | * applications can prevent by specifying sufficiently high-entropy content. | 520 | * applications can prevent by specifying sufficiently high-entropy content. |
513 | * | 521 | * |
514 | * Must be hardware-enforced. | 522 | * Must never appear in KeyCharacteristics. |
515 | */ | 523 | */ |
516 | APPLICATION_DATA = TagType:BYTES | 700, | 524 | APPLICATION_DATA = TagType:BYTES | 700, |
517 | 525 | ||
@@ -557,11 +565,12 @@ enum Tag : uint32_t { | |||
557 | * key generated on Android version 4.0.3, the value would be 040003. | 565 | * key generated on Android version 4.0.3, the value would be 040003. |
558 | * | 566 | * |
559 | * The IKeymasterDevice HAL must read the current OS version from the system property | 567 | * The IKeymasterDevice HAL must read the current OS version from the system property |
560 | * ro.build.id and deliver it to the secure environment when the HAL is first loaded (mechanism | 568 | * ro.build.version.release and deliver it to the secure environment when the HAL is first |
561 | * is implementation-defined). The secure environment must not accept another version until | 569 | * loaded (mechanism is implementation-defined). The secure environment must not accept another |
562 | * after the next boot. If the content of ro.build.id has additional version information after | 570 | * version until after the next boot. If the content of ro.build.version.release has additional |
563 | * the sub-minor version number, it must not be included in Tag::OS_VERSION. If the content is | 571 | * version information after the sub-minor version number, it must not be included in |
564 | * non-numeric, the secure environment must use 0 as the system version. | 572 | * Tag::OS_VERSION. If the content is non-numeric, the secure environment must use 0 as the |
573 | * system version. | ||
565 | * | 574 | * |
566 | * Must be hardware-enforced. | 575 | * Must be hardware-enforced. |
567 | */ | 576 | */ |
@@ -659,8 +668,8 @@ enum Tag : uint32_t { | |||
659 | 668 | ||
660 | /** | 669 | /** |
661 | * Tag::ATTESTATION_ID_BRAND provides the device's brand name, as returned by Build.BRAND in | 670 | * Tag::ATTESTATION_ID_BRAND provides the device's brand name, as returned by Build.BRAND in |
662 | * Android, to attestKey(). This field is set only when requesting attestation of the device's | 671 | * Android, to attestKey(). This field must be set only when requesting attestation of the |
663 | * identifiers. | 672 | * device's identifiers. |
664 | * | 673 | * |
665 | * If the device does not support ID attestation (or destroyAttestationIds() was previously | 674 | * If the device does not support ID attestation (or destroyAttestationIds() was previously |
666 | * called and the device can no longer attest its IDs), any key attestation request that | 675 | * called and the device can no longer attest its IDs), any key attestation request that |
@@ -672,8 +681,8 @@ enum Tag : uint32_t { | |||
672 | 681 | ||
673 | /** | 682 | /** |
674 | * Tag::ATTESTATION_ID_DEVICE provides the device's device name, as returned by Build.DEVICE in | 683 | * Tag::ATTESTATION_ID_DEVICE provides the device's device name, as returned by Build.DEVICE in |
675 | * Android, to attestKey(). This field is set only when requesting attestation of the device's | 684 | * Android, to attestKey(). This field must be set only when requesting attestation of the |
676 | * identifiers. | 685 | * device's identifiers. |
677 | * | 686 | * |
678 | * If the device does not support ID attestation (or destroyAttestationIds() was previously | 687 | * If the device does not support ID attestation (or destroyAttestationIds() was previously |
679 | * called and the device can no longer attest its IDs), any key attestation request that | 688 | * called and the device can no longer attest its IDs), any key attestation request that |
@@ -685,7 +694,7 @@ enum Tag : uint32_t { | |||
685 | 694 | ||
686 | /** | 695 | /** |
687 | * Tag::ATTESTATION_ID_PRODUCT provides the device's product name, as returned by Build.PRODUCT | 696 | * Tag::ATTESTATION_ID_PRODUCT provides the device's product name, as returned by Build.PRODUCT |
688 | * in Android, to attestKey(). This field is set only when requesting attestation of the | 697 | * in Android, to attestKey(). This field must be set only when requesting attestation of the |
689 | * device's identifiers. | 698 | * device's identifiers. |
690 | * | 699 | * |
691 | * If the device does not support ID attestation (or destroyAttestationIds() was previously | 700 | * If the device does not support ID attestation (or destroyAttestationIds() was previously |
@@ -697,7 +706,7 @@ enum Tag : uint32_t { | |||
697 | ATTESTATION_ID_PRODUCT = TagType:BYTES | 712, | 706 | ATTESTATION_ID_PRODUCT = TagType:BYTES | 712, |
698 | 707 | ||
699 | /** | 708 | /** |
700 | * Tag::ATTESTATION_ID_SERIAL the device's serial number. This field is set only when | 709 | * Tag::ATTESTATION_ID_SERIAL the device's serial number. This field must be set only when |
701 | * requesting attestation of the device's identifiers. | 710 | * requesting attestation of the device's identifiers. |
702 | * | 711 | * |
703 | * If the device does not support ID attestation (or destroyAttestationIds() was previously | 712 | * If the device does not support ID attestation (or destroyAttestationIds() was previously |
@@ -710,7 +719,7 @@ enum Tag : uint32_t { | |||
710 | 719 | ||
711 | /** | 720 | /** |
712 | * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attestKey(). | 721 | * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attestKey(). |
713 | * This field is set only when requesting attestation of the device's identifiers. | 722 | * This field must be set only when requesting attestation of the device's identifiers. |
714 | * | 723 | * |
715 | * If the device does not support ID attestation (or destroyAttestationIds() was previously | 724 | * If the device does not support ID attestation (or destroyAttestationIds() was previously |
716 | * called and the device can no longer attest its IDs), any key attestation request that | 725 | * called and the device can no longer attest its IDs), any key attestation request that |
@@ -723,7 +732,7 @@ enum Tag : uint32_t { | |||
723 | 732 | ||
724 | /** | 733 | /** |
725 | * Tag::ATTESTATION_ID_MEID provides the MEIDs for all radios on the device to attestKey(). | 734 | * Tag::ATTESTATION_ID_MEID provides the MEIDs for all radios on the device to attestKey(). |
726 | * This field will only be set when requesting attestation of the device's identifiers. | 735 | * This field must be set only when requesting attestation of the device's identifiers. |
727 | * | 736 | * |
728 | * If the device does not support ID attestation (or destroyAttestationIds() was previously | 737 | * If the device does not support ID attestation (or destroyAttestationIds() was previously |
729 | * called and the device can no longer attest its IDs), any key attestation request that | 738 | * called and the device can no longer attest its IDs), any key attestation request that |
@@ -736,7 +745,7 @@ enum Tag : uint32_t { | |||
736 | 745 | ||
737 | /** | 746 | /** |
738 | * Tag::ATTESTATION_ID_MANUFACTURER provides the device's manufacturer name, as returned by | 747 | * Tag::ATTESTATION_ID_MANUFACTURER provides the device's manufacturer name, as returned by |
739 | * Build.MANUFACTURER in Android, to attstKey(). This field is set only when requesting | 748 | * Build.MANUFACTURER in Android, to attstKey(). This field must be set only when requesting |
740 | * attestation of the device's identifiers. | 749 | * attestation of the device's identifiers. |
741 | * | 750 | * |
742 | * If the device does not support ID attestation (or destroyAttestationIds() was previously | 751 | * If the device does not support ID attestation (or destroyAttestationIds() was previously |
@@ -749,8 +758,8 @@ enum Tag : uint32_t { | |||
749 | 758 | ||
750 | /** | 759 | /** |
751 | * Tag::ATTESTATION_ID_MODEL provides the device's model name, as returned by Build.MODEL in | 760 | * Tag::ATTESTATION_ID_MODEL provides the device's model name, as returned by Build.MODEL in |
752 | * Android, to attestKey(). This field is set only when requesting attestation of the device's | 761 | * Android, to attestKey(). This field must be set only when requesting attestation of the |
753 | * identifiers. | 762 | * device's identifiers. |
754 | * | 763 | * |
755 | * If the device does not support ID attestation (or destroyAttestationIds() was previously | 764 | * If the device does not support ID attestation (or destroyAttestationIds() was previously |
756 | * called and the device can no longer attest its IDs), any key attestation request that | 765 | * called and the device can no longer attest its IDs), any key attestation request that |
@@ -815,7 +824,7 @@ enum Tag : uint32_t { | |||
815 | * Tag::NONCE is used to provide or return a nonce or Initialization Vector (IV) for AES-GCM, | 824 | * Tag::NONCE is used to provide or return a nonce or Initialization Vector (IV) for AES-GCM, |
816 | * AES-CBC, AES-CTR, or 3DES-CBC encryption or decryption. This tag is provided to begin during | 825 | * AES-CBC, AES-CTR, or 3DES-CBC encryption or decryption. This tag is provided to begin during |
817 | * encryption and decryption operations. It is only provided to begin if the key has | 826 | * encryption and decryption operations. It is only provided to begin if the key has |
818 | * Tag::CALLER_NONCE. If not provided, an appropriate nonce or IV will be randomly generated by | 827 | * Tag::CALLER_NONCE. If not provided, an appropriate nonce or IV must be randomly generated by |
819 | * Keymaster and returned from begin. | 828 | * Keymaster and returned from begin. |
820 | * | 829 | * |
821 | * The value is a blob, an arbitrary-length array of bytes. Allowed lengths depend on the mode: | 830 | * The value is a blob, an arbitrary-length array of bytes. Allowed lengths depend on the mode: |