MODULE_HASH documentation

Bug: 369375199 Test: builds Change-Id: If4a0be1314c0a98409b2fd0289d099a45120ce33
author: Karuna Wadhera <kwadhera@google.com> 2025-01-06 22:19:58 +0000
committer: Karuna Wadhera <kwadhera@google.com> 2025-01-09 01:36:36 +0000
commit: fbb369e218aa7bf527a0857c5bc69db0ef315b8b (patch)
tree: f5a5a87ce28533a28170dde0c6f4a2cc45819cf3 /keystore
parent: e7ae25fcaa7d8213751545e4393b83134bf5a939 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/keystore/java/android/security/keystore/KeyStoreManager.java b/keystore/java/android/security/keystore/KeyStoreManager.java
index 740ccb53a691..13f1a72469c2 100644
--- a/keystore/java/android/security/keystore/KeyStoreManager.java
+++ b/keystore/java/android/security/keystore/KeyStoreManager.java
@@ -312,9 +312,11 @@ public final class KeyStoreManager {
      * When passed into getSupplementaryAttestationInfo, getSupplementaryAttestationInfo returns the
      * DER-encoded structure corresponding to the `Modules` schema described in the KeyMint HAL's
      * KeyCreationResult.aidl. The SHA-256 hash of this encoded structure is what's included with
-     * the tag in attestations.
+     * the tag in attestations. To ensure the returned encoded structure is the one attested to,
+     * clients should verify its SHA-256 hash matches the one in the attestation. Note that the
+     * returned structure can vary between boots.
      */
-    // TODO(b/369375199): Replace with Tag.MODULE_HASH when flagging is removed.
+    // TODO(b/380020528): Replace with Tag.MODULE_HASH when KeyMint V4 is frozen.
     public static final int MODULE_HASH = TagType.BYTES | 724;
 
     /**
author	Karuna Wadhera <kwadhera@google.com>	2025-01-06 22:19:58 +0000
committer	Karuna Wadhera <kwadhera@google.com>	2025-01-09 01:36:36 +0000
commit	fbb369e218aa7bf527a0857c5bc69db0ef315b8b (patch)
tree	f5a5a87ce28533a28170dde0c6f4a2cc45819cf3 /keystore
parent	e7ae25fcaa7d8213751545e4393b83134bf5a939 (diff)