CDD: Add per-user block-level encryption to storage encryption
Add an alternative section to define encryption requirements for
device implementations using per-user block-level encrypted
partition.
Bug: 184198954
Test: none
Change-Id: Icba5a5541c367f8863466b453e249800c1f6d9aa
Merge "CDD: Carveout automotive from Restricted profiles" into android11-dev
Merge "CDD: TrustAgent and Biometric Carve-out" into android11-dev
CDD: Added local regulations carveout to Device Identifiers requirements.
Updating device identifiers requirements to allow apps to have access
to SIM serial number/ICCID where local regulations require the app to
detect changes in subscriber identity.
Change-Id: I0c5559d05de30a70cb6139b65249744a1eb8ec84
BUG: 168387648
CDD: TrustAgent and Biometric Carve-out
7.3.10: Relaxing C-1-8 biometrics requirement for upgrading devices.
9.11.1: Relaxing C-7-8 trustagent requirement for Automotive,
considering driver distraction could be of concern.
Bug: 141269831
Test: NA
Change-Id: I922d92300ad6565d99adff732877052e02f14850
(cherry picked from commit debd0994d09ffd162d916b710d0ad9c5311a2f03)
CDD: Carveout automotive from Restricted profiles
Removed the multiple user restricted profiles from
the core requirement and add them to all the
device configurations except automotive
Bug: 143736934
Test: N/A
Change-Id: Ia9d8e606a50567c2dfab190423923c809ecc5ca2
(cherry picked from commit fe5bc486b29c74bec3b9e67283e393314db6d055)
CDD: Added in TextClassifier as part of ContentCapture
requirements.
This change has been introduced to ensure that TextClassifier
Service does not exfiltrate data off the device.
Bug: 149022430
Change-Id: I77368a337d54e54e6261fa7338f135208e322126
Merge "CDD: Update requirements for Android biometrics" into rvc-dev
Merge "CDD: Mandate metadata encryption" into rvc-dev
Merge "CDD: Intents Classification and Clarification" into rvc-dev
CDD: Mandate metadata encryption
Improvements in kernel support mean that we can now enable metadata
encryption on all devices. Metadata encryption improves user privacy,
and testing is more effective when we reduce ways for devices to vary.
Bug: 147690095
Test: n/a
Change-Id: Id94f110ad64b39db55d43501e929b26431b7fc53
Merge "CDD: Requirements for Blob Sharing Service." into rvc-dev
CDD: Strongly recommend kernel heap initialization
The idea is to eliminate bugs related to using uninitialized heap
variables in the kernel by force-initializing all the heap allocations
(page alloc and kmalloc()). This includes potential stability bugs as well
as information leaks as well as vulnerabilities related to control flow
subversion. Together with stack initialization, this change is going to
mitigate most of the bugs related to uninitialized memory in the kernel.
Test: None
Bug: 143931827
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I3af6f5d8a02fd3895b9c5e125a602e8672478488
CDD: Intents Classification and Clarification
Intents have been classified as application intents and
broadcast intents.
Application intents have been listed for each form factor.
Removed the terminology of Core intents and called it common
application intents to be more inline with the developer pages.
Also renamed section "3.2.3.5 default app settings" to
"conditional application intents" and moved in the conditional
application intents in that section.
The goal is to provide clarity to OEM's and developers on the
list of intents to expect an activity/handler.
Change-Id: I4416c2b06b7845581e701f8137e7d870d4749938
BUG: 148181180
CDD: Requirements for Blob Sharing Service.
Blob Sharing is a new feature in R which allows
apps to share data blobs with other apps by contributing
the data to the system. The purpose of these new CDD requirements
are to ensure data blobs belonging to apps are only shared as
restricted by the originating application.
Bug: 145299226
Test: visual inspection in markdown editor
Change-Id: I0b418af6b32a85b2fdff4ca50168b9eadbf0f03a
Merge "CDD: Require OTA Resume On Reboot feature." into rvc-dev
CDD: Require OTA Resume On Reboot feature.
Update File-based encryption to included content related to Resume On Reboot requirements.
Bug: b/145144304
Change-Id: Ifd18665d28e26e9afa7ac63011e1484f2559d6cc
Merge "CDD: Requirements for Connectivity bug reports." into rvc-dev
Merge "CDD: Clarify escrow token policy for Automotive" into rvc-dev
CDD: Clarify escrow token policy for Automotive
To ensure proper escrow token usage for
trusted devices, clarify that the encryption
keys must not be stored in any part of the
vehicle even if they are outside of Android
automotive head unit.
Bug: 151435941
Test: NA
Change-Id: I7450d0c116e832fef549074852a463afabc10c98
Merge "CDD: Added requirements of file-based on-access verification" into rvc-dev
CDD: Added requirements of file-based on-access verification
The new articles require device implementation to support on-access
verification with trusted certificates, such that for an enabled file,
if a part of the file is tampered with, a read from the tampered part
will fail.
As an example, fs-verity, which is an implementation in Linux kernel
and is used to protect an APK if the APK is installed with a trusted
signature.
Test: check in an MD viewer
Bug: 144365636
Change-Id: Icae88a7cc3e4cdb61cf08cab98ab8adfa2931f77
CDD: Requirements for Connectivity bug reports.
This new type of bug report is well-defined starting with Android R, and
is intended to capture information relevant to connectivity (telephony,
wi-fi, and networking) debugging without including unnecessary PII.
Bug: 145145343
Change-Id: Ie6e320482aaf07ca0b739a14ce627d6545367aa3
CDD: Update requirements for Android biometrics
Update biometric section to clarify security requirements and enforce
consistent biometric implementations. This ensures that biometric
solutions are correctly implemented and surfaced via the biometrics APIs,
and that their security is measured and tested appropriately.
Bug: 145928315
Test: make -j
Change-Id: I633980e0f8993eb5814451e57601c216e03adaa8
Merge "CDD: Add section for app data migration" into rvc-dev
Merge "CDD: Changes related to Scoped Storage" into rvc-dev
CDD: Changes related to Scoped Storage
* Dropped references to WRITE_EXTERNAL_STORAGE and
WRITE_MEDIA_STORAGE permissions as the permission
WRITE_EXTERNAL_STORAGE is a no-op for apps targeting Android R.
Also the privileged permission WRITE_MEDA_STORAGE is deprecated
in Android R.
* Scoped storage is enforced only by target SDK but the flag
requestLegacyExternalStorage is not a way to opt out when targeting
Android R.
* We no longer need text to emphasize how apps can access SD cards,
this is enforced in the SDK
* Raw file path access now allowed as privacy rules are enforced
behind the scenes
BUG: 144375132
Change-Id: I292426ee55ecb395dcdbcc3f840d8c9bc5e7a6fc
CDD: Add section for app data migration
Allow devices to offer a device-to-device application data migration
capability that does not limit the application data it copies to what
is configured by the application developer in the manifest and any
backup include and exclude files, subject to certain security and
privacy requirements.
Bug: 143524713
Change-Id: Iccf72a4b4e6959b63d0311cd50a2f09e83aa8562
Merge "CDD: Require to display the same consistent UI for ACTION_MANAGE_OVERLAY_PERMISSION intent." into rvc-dev
Merge "CDD: Remove sleep timeout configuration for Automotive" into rvc-dev
CDD: Remove sleep timeout configuration for Automotive
Automotive devices have a different timeout.
The screen goes to locked screen whenever
the vehicle is turned off or the user
profile is switched. The timeout configuration
is not an applicable setting for automotive
devices. Removing the requirement.
Bug: 154351787
Test: NA
Change-Id: I339b85850adec12843bb8506b081912e6abb7659
Merge "CDD: Emergency Location Bypass API for Automotive" into rvc-dev
Merge "CDD: strongly recommend kernel stack initialization" into rvc-dev
Merge "CDD: Add Identity Credential as STRONGLY RECOMMENDED" into rvc-dev
CDD: Emergency Location Bypass API for Automotive
Clarify that automotive may use emergency
location bypass in the case of detection
of a crash/accident, satisfying eCall requirements
Bug: 152455211
Test: NA
Change-Id: I5b27dabd76ecba393ba85f9b08775caf9614cbeb
CDD: Add Identity Credential as STRONGLY RECOMMENDED
The Identity Credential System allows app developers to store
and retrieve user identity documents, device implementations are
strongly recommended to implement Identity Credential in a secure area.
Bug: 146022741
Test: n/a
Change-Id: I69bb11fdb1e9b7abcc73bf4ff23a447ca4a413de
Merge "CDD: mandate non-reversible FBE key derivation function" into rvc-dev
CDD: mandate non-reversible FBE key derivation function
The kernel portion of FBE originally used an AES-128-ECB based Key
Derivation Function (KDF) to derive per-file keys. While this met the
original security requirements, it is not a standard KDF and it does not
follow cryptographic best practices. For example, it is reversible, so
if a single file's key was compromised then all other files protected by
the same FBE policy were too. It is also inflexible, making it hard to
add new features to FBE and encouraging poor practices like reusing the
FBE master keys for both encryption and key derivation.
Android R supports a new FBE policy version which uses HKDF-SHA512
to derive all subkeys from the master key. It can be enabled using an
fstab option like "fileencryption=aes-256-xts:aes-256-cts:v2". It is
also the default setting when the shipping API level is >= R. Kernel
support is in android-4.14 and later, and in the upstream Linux kernel.
So, start requiring that a strong KDF be used and that FBE keys are not
used for different cryptographic purposes. As with the other storage
encryption format requirements, this only applies to new devices; this
is covered by the paragraph at the beginning of section 9.9.
This requirement does not require any special hardware support, and the
new KDF performs as well or better than the old KDF.
Bug: 144509061
Change-Id: Ie8b8df0a19be21dcfb7aed18aa3ac7e9c7e2b893
CDD: strongly recommend kernel stack initialization
The idea is to eliminate bugs related to using uninitialized local
variables in the kernel by force-initializing all the locals. This
includes potential stability bugs as well as information leaks as well
as vulnerabilities related to control flow subversion. Together with
heap initialization, this change is going to mitigate most of the bugs
related to uninitialized memory in the kernel.
Test: None
Bug: 143863382
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: Ia0fe68df775a89c1d49b8d348fd105dcb41ff494
CDD: Require to display the same consistent UI for
ACTION_MANAGE_OVERLAY_PERMISSION intent.
Without such requirement intent android.settings.action.MANAGE_OVERLAY_PERMISSION
with data URI “package:<package>” can redirect the user
to the app-specific screen to enable permission
android.permission.SYSTEM_ALERT_WINDOW. This makes it too
easy for malicious apps to fool the user into enabling it.
Bug: 145286669
Change-Id: I5fce6cc6bf21b93f953b53ce077c0272dc71bae2
CDD: MUST NOT expose app details to other apps
Apps targeting Android 11 cannot see details about other installed apps
by default, due to the package visibility change.
Bug: 145293555
Change-Id: Iba1d6facb57f492589c3f5d61c719d0369367d1c
Docs: Almost final Cleanup CL.
Bug: 140142603
Test: ./cdd_gen.sh --version <version-number> --branch <branch-name>
Change-Id: Ib0a8e55035eab94ff6ab28ad3c6aa6c7c1ae19d3
Docs: Editorial Fixes for Section 9.8 and 5.2.5 (video codec table)
bug: b/140142603
test: NA
Change-Id: Ie5047a8497c94c4cb4e9f0b2bbea51efab9f2eda
Docs: Whitespace at EOF
Last line of file should end with a single newline.
Bug: 140034464
Test: N/A
Change-Id: Icdaaf61f25a0448fdf866fee4295b0ee15348812
Docs: Fix misspellings
Bug: 140034464
Test: N/A
Change-Id: If526c0b31459c7f368c623a0d0e916bfc3fd344f
CDD: Lockscreen and biometrics changes
- Introducing new biomatrics tier model, adding
the requirements and constraints for each tier.
- Some editorial changes by reorganizing and folding some sections
- Transferred ag/6940471 on master to qt-branch
Bug: 126002559
Bug: 120995257 (7.3.10/C-2-5)
Bug: 124243324 (9.11.1/C-7-12)
Bug: 124403616 (7.3.10 additional background)
Bug: 123365828 (9.11.1/C-7-11)
Test: NA
Change-Id: Ib36d40935c77ec370a2494ddb1506b0a952fd525
CDD: Updating location and corresponding privacy requirements
- Some minor changes for reporting GNSS measurements
- Bumping up from Should to SR for 3-axis accelerometer
- Update privacy requirements related to the user's location to align
with the updated privacy policy
Bug: 124539379
Bug: 124405285
Bug: 124405354
Bug: 123593924
Bug: 124404671
Bug: 124404696
Test: N/A
Change-Id: I6278b6af8f1f3f00fe455d66fa051d3d7f5a2dc7
CDD: Tighten keystore req
- Tighten the security consistently for Android ecosystem.
- Remove the condition of a secure lock screen for Keystore reqs for
form-factors (i.e. Handheld, Auto, TV) that have adopted keystore reqs.
Bug: 111748530
Change-Id: If7682e1410b52390135627d3edc9724d779a265f
CDD: Require user consent for screen casting and screen recording
- Provide more transparency for users about casting/screen recording.
Bug: 135560873
Test: N/A
Change-Id: I36c4f4e26e113bd24737bb0b5fc1476f6d378c83
CDD: Update clipboard requirement
- Updating the clipboard requirement to improve privacy.
Test: N/A
Fixes: 121159550
Change-Id: Id1cd6237ee741acdf2a24c43a9c4f5f2ec09d0ee
Merge "CDD: Require runtime permission for location and physical Activity" into qt-dev
CDD: Require runtime permission for location and physical Activity
- Ensure the correct permission model is implemented for both location
and proprietary APIs that return location and physical activity.
- Correspond with the improved location/activity permission in Q.
Test: N/A
Bug: 124308476
Bug: 124124462
Change-Id: If5deec3f9c45c1784f66ebf24936e50602cd24a3
CDD: Update privacy requirements for capturing contents
- Ensure the data captured on the device will not be leaked and abused.
Bug: 124510178
Test: none
Change-Id: I9840d1fca81b85c5198882ba8ddbdff527896e02
CDD: priv apps root of trust on Verified Boot
- This is a minor language improvement for the spirit. Previously, the
document explicitly requires /system, but actually all partition
protected by Verified Boot is fine.
Test: None
Bug: 123365823
Change-Id: I405371c69323bb95bc07e18c09b78ed2d1bcf46e
Merge "CDD: Scope Factory Data Reset(FDR) wording to userdata partition." into qt-dev
CDD: Revise section about Android Protected Confirmation API
- Make the security requirements more concise to cover a larger design
space of possible implementations while preserving the expected
security guarantees.
Bug: 119186987
Test: n/a
Change-Id: I64a7b52a1218df8f16a2a6bb63f1d78465b9d916
CDD: Scope Factory Data Reset(FDR) wording to userdata partition.
This is to improve user data privacy.
Bug: 124238463
Test: None
Change-Id: I0a098daec3362417b105bda7be56cea424f62253
CDD: Permisssions for the hardRestricted level
- The permission model (including permission) restriction is the most
important mechanism to protect the users privacy
- Apps need a consitent permission model to be able to effectivly deal
with user data
Fixes: 124522273
Change-Id: If85a3f266ab75de64e5ac840101fb3ce983e179d
CDD: Clarify privacy requirement for bugreports.
Clarify that bugreports are covered by the following requirement:
MUST NOT preload or distribute software components out-of-box that send
user's private information off the device without the user's consent or
clear ongoing notifications.
Bug: 132458597
Test: N/A
Change-Id: I4d1732bb45153e5eccce1964437f9bdf25350d54
CDD: Require new device identifier access restrictions
Devices must prevent access to all device identifiers from
an app that does not meet one of the new requirements.
Bug: 123367433
Test: N/A
Change-Id: I683ff569f8f51c38fa4defa0f60c898ea48414ab
Merge "CDD: Relax hardware vulnerability requirements" into qt-dev
Merge "CDD: Update CDD for CFI and SCS" into qt-dev
CDD: Strongly recommend StrongBox for devices with secure processors
This arguably is a weakening of the P recommendation, but it's part of
an incremental strategy to mandate StrongBox across the entire
ecosystem. We'll start by recommending it for devices with the
necessary hardware, then move to mandating it for such devices and
recommending that all devices add such hardware, then mandate it for
all devices.
Bug: 135707870
Test: N/A
Change-Id: Idf18fde8fc163ee0944a6ce1e611441414ebc461
Merge "CDD: Align mic and playback capture requirement" into qt-dev
CDD: Relax hardware vulnerability requirements
Limit mitigation requirements to vulnerable hardware.
Bug: 122834364
Change-Id: If81385671bfd42f0d100f139c081fd759de81cd0
CDD: Align mic and playback capture requirement
- The two audio sources should have the same privacy requirements.
- Some typo correction for section 5.4.
Test: N/A
Bug: 124333245
Change-Id: Ida67df090b028b35f0dbea84c1e43de8339c5696
Signed-off-by: Kevin Rocard <krocard@google.com>
CDD: Update CDD for CFI and SCS
-Strongly recommend shadow-call-stack (SCS) and control-flow-integrity
(CFI) for the kernel and userspace to provide additional protection
against code-reuse attacks.
Bug: 123365748
Test: --
Change-Id: Ida7b2f190da26439443d5247d467047e134933c1
CDD: Remove "shared device" exception for encryption
-This can potentially be used to try to gain exceptions for devices
we never envisioned (for example, many phones allow multiple user
accounts, and any device shipping with family features is
pretty much by definition going to be "shared").
-This exception was also somewhat designed for devices with
lower hardware capabilities. But with Adiantum available, we
haven't seen any data showing such an exception is still
needed.
Bug: 124123642
Test: None
Change-Id: Ie2b3f0b5be2c8cda80176160255558e6e5a2cff5
CDD: Remove encryption performance exception
We now require encryption on all devices, without any
exceptions for performance.
For devices which lack AES CPU instructions, and thus have
performance concerns with AES, we allow the use of Adiantum as
the encryption method.
Bug: 118200376
Test: None
Change-Id: I219fd6d1733c053741d8b71b7f5bd067938d1196
CDD: Remove FDE, mandate FBE where encryption is mandated
- Already-launched devices are exempted, and must instead follow
mandates of their launch CDD.
Bug: 118760699
Test: not applicable to CDD changes
Change-Id: Icea70b46c986af187248d9b946e5c17d2b8ef1dd
CDD: Clarify data deletion requirements
- Make it clear that all generated data, not just user-generated data
should be deleted on factory device reset.
- Clarify that only operating system files on read-only filesystems are
exempt from being deleted.
Bug: 124238463
Test: None
Change-Id: I3cd0bb57ed2c425763b7a50849dc216bc5dcab50
Docs: Errata for Android 9 CDD.
- Fixed Section 9.10 by removing C-2-1 due to the introduction of C-0-2
- Fixed typos in other sections
Bug: 112010610
Test: ./cdd_gen.sh --version 9 --branch pie-dev
Change-Id: Ie4003beb20425a7fc83cf68ea23772aca389b85b
Merge pi-dev as of ag/4582919 into stage-aosp-master.
Bug: 112189069
Change-Id: I67297b2d6eb189283acb350c1001010f0e9c81d9
CDD: Move the req of supporting encryption under perf carve-out
- Ensure the consistent security across devices
- Replace the carve-out of secure lock screen with the perf carve-out
for supporting encryption
Test: None
Bug: 71909258
Change-Id: Ied56bb0bdd99e3f27e68c13829073c5982019c74
Merge "CDD: Require logging of some basic events available to app developers through statsd." into pi-dev
CDD: Clarifying kernel page table isolation
- Modifying the requirement language for C-0-12(kernel page table isolation)
requirement to add clarity.
Bug: 79088532
Change-Id: If3b3da40b78203c177cb4b833ea49837336a72b7
Merge "CDD: Requirements for services that have access to "android.permission.RECOVER_KEYSTORE"" into pi-dev
CDD: Require logging of some basic events available to app developers through statsd.
Enlist required fields to be more specific about what is
needed for developer tools and what is needed for privacy.
Bug: 76161779
Bug: 74125988
Test: None
Change-Id: I4ff9a73f72c3270caaac0f116297d666a58561fb
CDD: Requirements for services that have access to "android.permission.RECOVER_KEYSTORE"
- Prevent brute-force attacks on the lockscreen knowledge factor.
Bug: 73599998
Test: None
Change-Id: I8f7fa701b11f015e26429c4683a36d37aa2faa47
Merge "CDD: Add section about Android Protected Confirmation API" into pi-dev
Merge "CDD: Update CDD language for biometrics and lockscreen." into pi-dev
CDD: Add section about Android Protected Confirmation API
- Device implementations with secure hardware may implement the
Android Protected Confirmation API to request the user to
approve a textual message.
Bug: 73001803
Test: n/a
Change-Id: I96c5929b0b4ab99b31a9fe7ca0ac82710f94cdca
CDD: Update CDD language for biometrics and lockscreen.
This CL makes CDD changes that are aimed at providing more explicit
guidance on creating secure biometric based unlocks, and on
consolidating the CDD language for secure lockscreens to make the
authentication model consistent with our security bar.
More specifically, it changes the following things:
(1) A new section similar to "7.3.10 Fingerprint Sensors" that's more
generic and applicable to all biometric sensors. Should have mostly
the same constraints but slightly altered where necessary.
(2) Language that deals with match-on-chip solutions for biometrics.
(3) A new requirement in 9.11 that mandates keeping a minimum
Sleep timeout of at most 15 seconds.
(4) New requirements in "9.11.1 Secure Lock Screens" that:
(a) Constrain what a primary authentication can be.
(b) Adds information related to alternate biometric unlocks and
adhering to the SAR/IAR bar that was introduced in the 8.1 CDD
(c) Adds requirements around 'passive' biometric unlocks like Face
when used to unlock keystore keys.
(d) Clarifies some language around falling back to requiring primary
auth every 72 hours for all non-primary modes of authentication
(5) Removes the API requirement to return false for both the KeyguardManager.isKeyguardSecure() and the KeyguardManager.isDeviceSecure() methods.
Bug: 73723272
Bug: 77656214
Bug: 111053551
Test: --
Change-Id: Iede9eba5ac79de56802cd830c3dc4e521f40e098
CDD: 9.10. Device Integrity: Change verified boot items from SR to MUST.
Change STRONGLY RECOMMENDED to MUST for verified boot items and slight
cleanup of language used:
- MUST use tamper-evident storage: for storing whether the bootloader
is unlocked. Tamper-evident storage means that the boot loader can
detect if the storage has been tampered with from inside Android.
- MUST prompt the user, while using the device, and require physical
confirmation before allowing a transition from boot loader locked
mode to boot loader unlocked mode.
- MUST implement rollback protection for the partitions used by
Android (e.g. boot, system partitions) and use tamper-evident
storage for storing the metadata used for determining the minimum
allowable OS version.
Test: n/a
Bug: 72919368
Change-Id: Ifcb0c994cb86f92a422dcde6fa6da1ca064d4ca0
Merge "CDD: StrongBox requirements" into pi-dev
Merge "CDD: Update CDD changes for CFI and IOSAN" into pi-dev
Merge "CDD: Recommend metadata encryption" into pi-dev
Merge "CDD: Require verified boot on all devices, including low ram devices" into pi-dev
CDD: Update CDD changes for CFI and IOSAN
This CL renames section 9.7 to 'Security Features' (instead of kernel
security features), and adds a new sub-section for userspace specific
security feature advice. There's only a single recommendation in for
P, but we will be using this section to add more details and
recommendations/constraints for Q.
Bug: 73724250
Test: --
Change-Id: If45c5fd9b7668dcafc9ce8dbd2a59b9c4418ca42
CDD: StrongBox requirements
- Tighten the security by supporting StrongBox.
- Clarifying the requirements if StrongBox is supported.
Bug: 73002261
Test: N/A
Change-Id: I9834ced2e697bee013cb0725f31745826da1f0c5
CDD: Require verified boot on all devices, including low ram devices
We remove the low RAM exception for verified boot.
Test: None
Bug: 73374550
Change-Id: I340e8753c8648bbe2a68426123851359d4cba1cb
Merge "CDD: Handheld MUST include an application that handles intents related to Storage Access Framework (SAF)" into pi-dev
Merge "Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ARM" into pi-dev
Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ARM
- It's incompatible with PAN emulation for arm32 kernels.
- This is already implicitly tested when checking for
CONFIG_CPU_SW_DOMAIN_PAN.
Bug: 109828784, 74078653, 79088532, 73728376
Test: n/a
Change-Id: Idb6a96d6f8c13a959b4bdc2c5580294beeff2d7c
CDD: Allow escrow keys to unlock CE storage.
- Much of the purpose of escrow keys is to allow storage
to be unlocked when a user forgets their LSKF, so we
must allow this in CDD.
Bug: 111561428
Test: Documentation change.
Change-Id: I0de44228e35728713405a8d84ec3b8e6f8a9ecbf
Merge "CCD: Add recommendations for Full Stack Integrity" into pi-dev
Merge "CDD: Require to include only the data with 'DEST_AUTO' in the incident report" into pi-dev
CDD: Recommend metadata encryption
- Tighten the security.
Bug: 73662717
Test: Compiled and inspected HTML
Change-Id: Ib2be403ef2db8525c9ad579a289eca79132696e9
CDD: MUST NOT send user's private data off the device without the user's consent
- Ensure that user's private data is protected and is not sent off the device without user's consent.
Bug: 74620344
Change-Id: I41559d7d3903ea3d44d1471abe896ad7698ef6be
Test: N/A
CDD: Require to include only the data with 'DEST_AUTO' in the incident report
Ensure that the data other than `DEST_AUTO` is not included in the report for
privacy protection. As fields or messages annotated with DEST_AUTO
can be sent by automatic means, without per-sending user consent. The user
still must have previously accepted a consent to share this information.
Bug: 76161779
Test: N/A
Change-Id: I813c96d43395b092ab0e8681893cf205723d26bb