有人知道 PERM-AR-DO 的详细信息吗?
Does anyone know details about PERM-AR-DO?
根据https://source.android.com/devices/tech/config/uicc.html,
AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit mask representing 64 separate permissions.
有人知道 PERM-AR-DO 的规格吗?
GlobalPlatform 安全元素访问控制规范版本 1.0 和 1.1 不包含它。对于访问规则数据对象 AR-DO (0xE3),仅定义了标记 0xD0 和 0xD1。
数据对象 PERM-AR-DO(标签 0xDB),就像 UICC Carrier Privileges page 上定义的其他数据对象(DeviceAppID-REF-DO with SHA-256 和 PKG-REF-DO),是 GP 安全元素访问控制规范的 Google 特定扩展。因此,您不会在 GP 规范中找到有关这些 DO 的任何信息。
您链接的页面实际上在常见问题解答部分提供了您问题的答案:
We assume we can grant access to all carrier-based permissions or have a finer-grained control. What will define the mapping between the bit mask and the actual permissions then? One permission per class? One permission per method specifically? Will 64 separate permissions be enough in the long run?
A: This is reserved for the future, and we welcome suggestions.
所以答案是PERM-AR-DO的解释还没有定义。这也反映在解析访问规则的 Android 源代码中(在 UiccCarrierPrivilegeRules.java on lines 591-601 中):
} else if (rule.startsWith(TAG_AR_DO)) {
TLV arDo = new TLV(TAG_AR_DO); //E3
rule = arDo.parse(rule, false);
// Skip unrelated rules.
if (!arDo.value.startsWith(TAG_PERM_AR_DO)) {
return null;
}
TLV <b>permDo</b> = new TLV(TAG_PERM_AR_DO); //DB
<b>permDo</b>.parse(arDo.value, true);
} else {
此代码解析 AR-DO 并提取 PERM-AR-DO,然后简单地删除提取的值 (permDo)。
同样,生成的 AccessRule 对象包含一个值 accessType,它始终设置为 0:
long accessType = <b>0</b>;
<i>[...]</i>
AccessRule accessRule = new AccessRule(IccUtils.hexStringToBytes(certificateHash),
packageName, <b>accessType</b>);
此外,在 class AccessRule 字段 accessType 旁边有一条注释,表明该字段“当前未使用":
public long accessType; // <b>This bit is not currently used, but reserved for future use.</b>
根据https://source.android.com/devices/tech/config/uicc.html,
AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit mask representing 64 separate permissions.
有人知道 PERM-AR-DO 的规格吗?
GlobalPlatform 安全元素访问控制规范版本 1.0 和 1.1 不包含它。对于访问规则数据对象 AR-DO (0xE3),仅定义了标记 0xD0 和 0xD1。
数据对象 PERM-AR-DO(标签 0xDB),就像 UICC Carrier Privileges page 上定义的其他数据对象(DeviceAppID-REF-DO with SHA-256 和 PKG-REF-DO),是 GP 安全元素访问控制规范的 Google 特定扩展。因此,您不会在 GP 规范中找到有关这些 DO 的任何信息。
您链接的页面实际上在常见问题解答部分提供了您问题的答案:
We assume we can grant access to all carrier-based permissions or have a finer-grained control. What will define the mapping between the bit mask and the actual permissions then? One permission per class? One permission per method specifically? Will 64 separate permissions be enough in the long run?
A: This is reserved for the future, and we welcome suggestions.
所以答案是PERM-AR-DO的解释还没有定义。这也反映在解析访问规则的 Android 源代码中(在 UiccCarrierPrivilegeRules.java on lines 591-601 中):
} else if (rule.startsWith(TAG_AR_DO)) {
TLV arDo = new TLV(TAG_AR_DO); //E3
rule = arDo.parse(rule, false);
// Skip unrelated rules.
if (!arDo.value.startsWith(TAG_PERM_AR_DO)) {
return null;
}
TLV <b>permDo</b> = new TLV(TAG_PERM_AR_DO); //DB
<b>permDo</b>.parse(arDo.value, true);
} else {
此代码解析 AR-DO 并提取 PERM-AR-DO,然后简单地删除提取的值 (permDo)。
同样,生成的 AccessRule 对象包含一个值 accessType,它始终设置为 0:
long accessType = <b>0</b>;
<i>[...]</i>
AccessRule accessRule = new AccessRule(IccUtils.hexStringToBytes(certificateHash),
packageName, <b>accessType</b>);
此外,在 class AccessRule 字段 accessType 旁边有一条注释,表明该字段“当前未使用":
public long accessType; // <b>This bit is not currently used, but reserved for future use.</b>