Docs: Typo fixes.

Test: ./cdd_gen.sh --version 9 --branch pie-dev
Change-Id: Ic4a076c8c09bcae2317edc4251502caedef3a3d1

CDD: Expand allowed encryption implementation

Previously, if a device had AES performance <= 50 MiB/sec, it
had two options: Encryption with AES, or no encryption.

We add a third option for this class of device: Encryption
with Adiantum.  Adiantum provides better performance than AES
on this class of device, while still providing strong protection.

Note there is no change to the requirement that devices with
AES performance > 50 MiB/sec MUST encrypt with AES.

Test: None
Change-Id: Ib612f2c8ebdb7631e3963f50020436a6af8d6ec5

Docs: Consistent use of terms preinstalled and third-party.

Test: make_cdd.py --version  <version-number> --branch <branch>
Change-Id: I98b896d819fc5652aba1d19bf82d15670b6287a0

Docs: Errata for Android 9 CDD.

- Fixed Section 9.10 by removing C-2-1 due to the introduction of C-0-2
- Fixed typos in other sections

Bug: 112010610

Test: ./cdd_gen.sh --version 9 --branch pie-dev
Change-Id: Ie4003beb20425a7fc83cf68ea23772aca389b85b

CDD: Move the req of supporting encryption under perf carve-out

- Ensure the consistent security across devices
- Replace the carve-out of secure lock screen with the perf carve-out
 for supporting encryption

Test: None
Bug: 71909258
Change-Id: Ied56bb0bdd99e3f27e68c13829073c5982019c74

Merge "CDD: Require logging of some basic events available to app developers through statsd." into pi-dev

CDD: Clarifying kernel page table isolation

- Modifying the requirement language for C-0-12(kernel page table isolation)
 requirement to add clarity.

Bug: 79088532
Change-Id: If3b3da40b78203c177cb4b833ea49837336a72b7

Merge "CDD: Requirements for services that have access to "android.permission.RECOVER_KEYSTORE"" into pi-dev

CDD: Require logging of some basic events available to app developers through statsd.

Enlist required fields to be more specific about what is
needed for developer tools and what is needed for privacy.

Bug: 76161779
Bug: 74125988

Test: None
Change-Id: I4ff9a73f72c3270caaac0f116297d666a58561fb

CDD: Requirements for services that have access to "android.permission.RECOVER_KEYSTORE"

- Prevent brute-force attacks on the lockscreen knowledge factor.

Bug: 73599998

Test: None
Change-Id: I8f7fa701b11f015e26429c4683a36d37aa2faa47

Merge "CDD: Add section about Android Protected Confirmation API" into pi-dev

Merge "CDD: Update CDD language for biometrics and lockscreen." into pi-dev

CDD: Add section about Android Protected Confirmation API

 - Device implementations with secure hardware may implement the
   Android Protected Confirmation API to request the user to
   approve a textual message.

Bug: 73001803
Test: n/a
Change-Id: I96c5929b0b4ab99b31a9fe7ca0ac82710f94cdca

CDD: Update CDD language for biometrics and lockscreen.

This CL makes CDD changes that are aimed at providing more explicit
guidance on creating secure biometric based unlocks, and on
consolidating the CDD language for secure lockscreens to make the
authentication model consistent with our security bar.

More specifically, it changes the following things:
(1) A new section similar to "7.3.10 Fingerprint Sensors" that's more
generic and applicable to all biometric sensors. Should have mostly
the same constraints but slightly altered where necessary.
(2) Language that deals with match-on-chip solutions for biometrics.
(3) A new requirement in 9.11 that mandates keeping a minimum
Sleep timeout of at most 15 seconds.
(4) New requirements in "9.11.1 Secure Lock Screens" that:
  (a) Constrain what a primary authentication can be.
  (b) Adds information related to alternate biometric unlocks and
  adhering to the SAR/IAR bar that was introduced in the 8.1 CDD
  (c) Adds requirements around 'passive' biometric unlocks like Face
  when used to unlock keystore keys.
  (d) Clarifies some language around falling back to requiring primary
  auth every 72 hours for all non-primary modes of authentication
(5) Removes the API requirement to return false for both the KeyguardManager.isKeyguardSecure() and the KeyguardManager.isDeviceSecure() methods.

Bug: 73723272
Bug: 77656214
Bug: 111053551
Test: --
Change-Id: Iede9eba5ac79de56802cd830c3dc4e521f40e098

CDD: 9.10. Device Integrity: Change verified boot items from SR to MUST.

Change STRONGLY RECOMMENDED to MUST for verified boot items and slight
cleanup of language used:

 - MUST use tamper-evident storage: for storing whether the bootloader
   is unlocked. Tamper-evident storage means that the boot loader can
   detect if the storage has been tampered with from inside Android.

 - MUST prompt the user, while using the device, and require physical
   confirmation before allowing a transition from boot loader locked
   mode to boot loader unlocked mode.

 - MUST implement rollback protection for the partitions used by
   Android (e.g. boot, system partitions) and use tamper-evident
   storage for storing the metadata used for determining the minimum
   allowable OS version.

Test: n/a
Bug: 72919368
Change-Id: Ifcb0c994cb86f92a422dcde6fa6da1ca064d4ca0

Merge "CDD: StrongBox requirements" into pi-dev

Merge "CDD: Update CDD changes for CFI and IOSAN" into pi-dev

Merge "CDD: Recommend metadata encryption" into pi-dev

Merge "CDD: Require verified boot on all devices, including low ram devices" into pi-dev

CDD: Update CDD changes for CFI and IOSAN

This CL renames section 9.7 to 'Security Features' (instead of kernel
security features), and adds a new sub-section for userspace specific
security feature advice. There's only a single recommendation in for
P, but we will be using this section to add more details and
recommendations/constraints for Q.

Bug: 73724250
Test: --

Change-Id: If45c5fd9b7668dcafc9ce8dbd2a59b9c4418ca42

CDD: StrongBox requirements

- Tighten the security by supporting StrongBox.
- Clarifying the requirements if StrongBox is supported.

Bug: 73002261
Test: N/A
Change-Id: I9834ced2e697bee013cb0725f31745826da1f0c5

CDD: Require verified boot on all devices, including low ram devices

We remove the low RAM exception for verified boot.

Test: None
Bug: 73374550
Change-Id: I340e8753c8648bbe2a68426123851359d4cba1cb

Merge "CDD: Handheld MUST include an application that handles intents related to Storage Access Framework (SAF)" into pi-dev

Merge "Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ARM" into pi-dev

Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ARM

- It's incompatible with PAN emulation for arm32 kernels.
- This is already implicitly tested when checking for
CONFIG_CPU_SW_DOMAIN_PAN.

Bug: 109828784, 74078653, 79088532, 73728376
Test: n/a
Change-Id: Idb6a96d6f8c13a959b4bdc2c5580294beeff2d7c

CDD: Allow escrow keys to unlock CE storage.

- Much of the purpose of escrow keys is to allow storage
  to be unlocked when a user forgets their LSKF, so we
  must allow this in CDD.

Bug: 111561428
Test: Documentation change.
Change-Id: I0de44228e35728713405a8d84ec3b8e6f8a9ecbf

Merge "CCD: Add recommendations for Full Stack Integrity" into pi-dev

Merge "CDD: Require to include only the data with 'DEST_AUTO' in the incident report" into pi-dev

CDD: Recommend metadata encryption

- Tighten the security.

Bug: 73662717
Test: Compiled and inspected HTML
Change-Id: Ib2be403ef2db8525c9ad579a289eca79132696e9

CDD: MUST NOT send user's private data off the device without the user's consent

- Ensure that user's private data is protected and is not sent off the device without user's consent.

Bug: 74620344
Change-Id: I41559d7d3903ea3d44d1471abe896ad7698ef6be
Test: N/A

CDD: Require to include only the data with 'DEST_AUTO' in the incident report

Ensure that the data other than `DEST_AUTO` is not included in the report for
privacy protection. As fields or messages annotated with DEST_AUTO
can be sent by automatic means, without per-sending user consent. The user
still must have previously accepted a consent to share this information.

Bug: 76161779
Test: N/A
Change-Id: I813c96d43395b092ab0e8681893cf205723d26bb

CCD: Add recommendations for Full Stack Integrity

Android P adds support for extending the protections of Verified Boot
beyond OS partitions to privileged apps that are installed on /data.
This change recommends that device implementations perform
integrity checks of these privileged apps.

Test: None
Bug: 73001552
Change-Id: I773c4ad431ab0f2c16a762ba342653502ea98912

Merge "CDD: Tightening kernel security requirements from SR to MUST" into pi-dev

CDD: Tightening kernel security requirements from SR to MUST

- The tightened MUST requirements are applicable for devices that
originally ship with API level 28 and above.

These security requirements provide better protections for the kernel by
mitigating common classes of vulnerabilities and privilege escalation
techniques.

Bug: 74078653
Bug: 79088532
Bug: 73728376
Test: n/a
Change-Id: I62450948e5474939d94b22b280d11a6d56e35f3e

Merge "CDD: add per-app selinux requirements for P" into pi-dev

CDD: Describe subscription plan security model.

Bug: 71816837
Test: ./cdd_gen.sh
Change-Id: I670a694bd37436e71b37f4746c5261d2d93b6b91

CDD: add per-app selinux requirements for P

Apps that target Android P can no longer share data with other apps
using world-accessible Unix permissions. This change improves the
integrity of the Android Application Sandbox, particularly the
requirement that an app's private data is accessible only by that
app. [1]

To share files with another another app, use a content provider
or shared space in external storage.

This feature enforces an existing requirement that files saved in
internal storage are accessible by the owning app. [2]

[1] https://developer.android.com/guide/topics/data/data-storage.html#filesInternal
[2] https://developer.android.com/training/data-storage/files.html#PublicFiles

Bug: 73728376
Test: n/a
Change-Id: Ib2a93fde25f660782f315d5e02978637680f7594

resolve merge conflicts of e7278fe2c0fc37b428b14dcbd4b37ef05eb69678 to oc-mr1-dev-plus-aosp

Test: I solemnly swear I tested this conflict resolution.
Change-Id: I2b54c7d9f68e6a57fa002bbbea78bde979ee2122

CDD: Clarify the key attestation is required only for new devices
am: 59f5208e19

Change-Id: Id1b0fe34aa6891ee65cc7efaae346fcc7af8a08d

CDD: Clarify the key attestation is required only for new devices

- Add the clarification note for 9.11 [C-1-4].
- Clarified for old devices with earlier version of Android to be
exempted from the key attestation requirement.

Bug: 72461553
Change-Id: I9b14119bcd67b5aa2063b3fb21b995fd658fc9d7

Merge "CDD: Require verified boot when device has enough RAM vs. good AES-crypto performance" into oc-mr1-dev
am: 3028793cd4

Change-Id: I4bb0ee4bf995d362f35677cea7fba3cdaa64b225

Merge "CDD: Require verified boot when device has enough RAM vs. good AES-crypto performance" into oc-mr1-dev

Merge "CDD: Require secure storage of lock screen credentials" into oc-mr1-dev
am: 0ea6e466a7

Change-Id: Id91984da103cbdc1991259ef1606c70455ddf5de

Merge "CDD: Require secure storage of lock screen credentials" into oc-mr1-dev

CDD: Require verified boot when device has enough RAM vs.
good AES-crypto performance

Update verified boot requirement to be MUST for devices that report
feature flag android.hardware.ram.normal

Bug: 35039737
Test: N/A
Change-Id: If7346873f92879a551935b55597762a46b5e89c8

Merge "CDD: Changes to measure biometric unlock security." into oc-mr1-dev
am: 3a6ff29410

Change-Id: Icfeef51e12db5335f3238adc0fc62cc25153abd1

Merge "CDD: Changes to measure biometric unlock security." into oc-mr1-dev

Merge "CDD: AES encrypt the encryption key by default" into oc-mr1-dev
am: 009ff2c391

Change-Id: I85ef23cb266b77f816ab462b189ee2fc36d72aac

Merge "CDD: AES encrypt the encryption key by default" into oc-mr1-dev

CDD: Require secure storage of lock screen credentials

- With credential-based Factory Reset Protection, the
credential handle is stored on an unencrypted partition. To maintain
security guarantees, implementations must make sure that the handle
does not leak information about the credential.

Bug: 64209214
Test: n/a
Change-Id: I55f15cc75502016824d9307c03d947c4041744b0

CDD: Changes to measure biometric unlock security.

Adds imposter and spoof acceptance rate metrics for biometric based
unlocks, and mandates showing a disclosure of the risks involved when
an unlock modality does not meet the bar.

Bug: 66013719
Bug: 63910023
Test: N/A
Change-Id: I6a129481c0036c756f8c7d95cf3da1bab9f3f0f1

CDD: AES encrypt the encryption key by default

For Android O-MR1 we are requiring that all encryption keys are
encrypted with AES by default, unless the user explicitly opts out.

Bug: 33744049
Change-Id: Ic74dcd960ef89b752f580bd2ce2e42acca643c1f
Test: Not necessary -- this is a policy change.

Docs: Move dev-specific reqs to Ch 2.

Test: python make_cdd.py --version <version-number>  --branch <mybranch>

Bug: 64164626
Merged-In: Ie091c0be79ad4a797f26a60e95ee2594f053f804
Change-Id: Ie091c0be79ad4a797f26a60e95ee2594f053f804
(cherry picked from commit 0ece682cb7f915f4289ba6d7b5c86957e6d5d276)
(cherry picked from commit d72cc3b7971126e352c0c8fd83693f458d3785ec)

Docs: Move dev-specific reqs to Ch 2.

Test: python make_cdd.py --version <version-number>  --branch <mybranch>

Bug: 64164626
Change-Id: Ie091c0be79ad4a797f26a60e95ee2594f053f804
(cherry picked from commit 0ece682cb7f915f4289ba6d7b5c86957e6d5d276)

Merge "CDD: add requirement for always-on VPN opt-out." into oc-mr1-dev
am: f06e564dad

Change-Id: I75be2df0c94c8296ca0bacf73d7053727e8b2840

CDD: add requirement for always-on VPN opt-out.

Require UI implementations to observe the always-on VPN opt-out manifest
flag in app manifest, if such implementation exists.

See VpnService.SERVICE_META_DATA_SUPPORTS_ALWAYS_ON

Bug: 65561270
Test: N/A
Change-Id: Ie0b5ea506affbec0ab3b0268c2539bc0184721aa

resolve merge conflicts of ece1909 to oc-dr1-dev-plus-aosp

Test: I solemnly swear I tested this conflict resolution.

Change-Id: Ib9a6ce41855fccf246dd4a8234c91477f49ad3c6

Merge "CDD: O errata changes" into oreo-dev am: c5356bbfa3 am: ac54447388
am: 8c931afc0f

Change-Id: Ice1528d34191d08dc6040b7da3c626e2f4489330

Docs: Misc fixes for CDD.

Bug: 67405273

Test: make_cdd.py --version 8.0 --branch "oc-dev"
Change-Id: Icee371d41284f56ef6d9ad90ab8992c94134d5bd

CDD: O errata changes

Fixes to missing/incorrect id's in CDD.
Bug: 66482816
Test: N/A

Change-Id: I8241e1f96f7bc2c5d9e190e96da87fcb504cde02

Docs: Move dev-specific reqs to Ch 2.

Test: python make_cdd.py --version <version-number>  --branch <mybranch>

Bug: 64164626
Change-Id: Ie091c0be79ad4a797f26a60e95ee2594f053f804

Merge "Docs: Restructure section 9.8." into oc-dev

Merge "Docs: Restructure section 9.9." into oc-dev

Docs: Restructure section 9.9.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: If35c39e10f621e1b9bad51eb9a89770815d2226d

Merge "Docs: Restructure section 9.14." into oc-dev

Docs: Restructure section 9.14.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I8f106180bb29452ce3de28ba100dcb76dae74737

Merge "Docs: Restructure section 9.6." into oc-dev

Docs: Restructure section 9.6.

Part of restructuring work for CDD.

Test: N/A

Bug: 64811960

Change-Id: I82b2f7099ec8811980b90b7a6969b5865fd25740

Merge "Docs: Restructure section 9.3." into oc-dev

Merge "Docs: Restructure section 9.11" into oc-dev

Docs: Restructure section 9.11

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I2d8ccd24e8572d397f38718088cc43274962bf12

Merge "Docs: Restructure section 9.12." into oc-dev

Merge "Docs: Restructure section 9.10." into oc-dev

Docs: Restructure section 9.10.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: Ic2ce057ffc3d072c4aacd52d4f0c8ebe578e9c61

Merge "Docs: Restructure section 9.4." into oc-dev

Merge "Docs: Restructure CDD section 9.1." into oc-dev

Docs: Restructure CDD section 9.1.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I912f83d868078cc90345766ce6dc5e05efc8078c

Docs: Restructure section 9.8.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I33113c2c4b5026ecd9155d5dc5c2a81743db3407

Merge "Docs: Restructure section 9.2." into oc-dev

Merge "Docs: Restructure section 9.13." into oc-dev

Merge "Docs: Restructure section 9.7." into oc-dev

Merge "Docs: Restructured section 9.5." into oc-dev

Docs: Restructure section 9.2.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I9cf7fbb4938b714682b434da196b2321a9b9bcea

Docs: Restructure section 9.13.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960

Change-Id: Icb98a0c74708c61cec94db74d04e17ec38ab819b

Docs: Restructure section 9.7.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I076fa1c1ce0a11ebc20e90e088cbd64b08046832

Docs: Restructured section 9.5.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: If8e02513604ce19e695e0033ea5a98a6a2d5c00b

Merge "Docs: Restructure CDD section 9.0." into oc-dev

Docs: Restructure section 9.12.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I4402611e292482ed38e508716677c6b6c61be94d

Docs: Restructure section 9.3.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: If9d5d1be2b256923d669efe6c66b9d901ba0513b

Docs: Restructure section 9.4.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I730c279f6067ad1002bb1c75dde664246f7eaa8d

Docs: Restructure CDD section 9.0.

Part of restructuring work for CDD.

Test: N/A
Bug: 64811960
Change-Id: I840ca61cace0f61fe85353fcedca0627a8647ca7

CDD: Add req for the trust agent escrow token system API

Add requirements to account for the new methods in
TrustAgentService that allow unlocking a device based on escrow
tokens.

Bug: 36237319
Test: Documentation update.
Change-Id: I38cec1d94bbcbcbf97782308dc800abf650d6532

CDD: Require checking the primary authentication periodically

- Added this requirement for the following reasons:
- Security; The supplemental unlocks are less secure than the primary
credential so limit the risk by periodically asking for the main
password.
- Usability; Make sure the user enters their primary knowledge factor
often enough not to forget it.

Bug: 38314942
Change-Id: I664813f58f5881c51500559eb7175fd759885d9e

Merge "CDD: Updated Kernel security requirements." into oc-dev

CDD: Updated Kernel security requirements.

Added requirements to make sure the Android ecosystem has
a minimum safe bar for kernel configurations.

Bug: 36371578
Test: N/A
Change-Id: Iea6207dfd5805392ea1bbdf232004d32cc19ff52

Merge "CDD:  Require indicating to the user the impact of TrustAgentService on screen locks." into oc-dev

Merge "CDD: Require user affordances to grant/revoke PACKAGE_USAGE_STATS permission." into oc-dev

CDD:  Require indicating to the user the impact of TrustAgentService
on screen locks.

TrustAgentService is able to change the behavior of screen locks, and
hence such a state has to be indicated to the end user in a more
transparent way.

Test: description only
Bug: 35849818
Change-Id: Id4e1cd29bbfc2e2c51ee0d852a30983a69c4786a

CDD: Require user affordances to grant/revoke PACKAGE_USAGE_STATS
permission.

Without the user-accessible mechanism, the android.app.usage package
APIs can't be granted/revoked despite the API documents for the
android.app.usage package multiple times referring to
"However, declaring the permission implies intention to use the API
and the user of the device can grant permission through the Settings
application."

Bug: 34107152
Test: N/A
Change-Id: Ie7385f54c024a72e943bf7b6d33b13d0b7ce6806

Merge "CDD: Require a default passcode to wrap the encryption key" into oc-dev