Andy Nullcouch Andy Nullcouch - 1 month ago 12
Android Question

Does anyone know details about PERM-AR-DO?

According to https://source.android.com/devices/tech/config/uicc.html,


AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit mask representing 64 separate permissions.


Does anyone know the specification for PERM-AR-DO?

GlobalPlatform Secure Element Access Control specifications version 1.0 and 1.1 do not contain it. For the access rule data object, AR-DO (0xE3), only tags 0xD0 and 0xD1 are defined.

Answer

The data object PERM-AR-DO (tag 0xDB), just as the other data objects defined on the UICC Carrier Privileges page (DeviceAppID-REF-DO with SHA-256 and PKG-REF-DO), is a Google-specific extension to the GP Secure Element Access Control specification. Consequently, you won't find anything about these DOs in the GP specifications.

The page that you linked actually provides an answer to your question in the FAQ section:

We assume we can grant access to all carrier-based permissions or have a finer-grained control. What will define the mapping between the bit mask and the actual permissions then? One permission per class? One permission per method specifically? Will 64 separate permissions be enough in the long run?

A: This is reserved for the future, and we welcome suggestions.

So the answer is that the interpretation of the PERM-AR-DO is not yet defined. This is also reflected in the Android source code that parses the access rules (in UiccCarrierPrivilegeRules.java on lines 591-601):

    } else if (rule.startsWith(TAG_AR_DO)) {
        TLV arDo = new TLV(TAG_AR_DO); //E3
        rule = arDo.parse(rule, false);
        // Skip unrelated rules.
        if (!arDo.value.startsWith(TAG_PERM_AR_DO)) {
            return null;
        }
        TLV permDo = new TLV(TAG_PERM_AR_DO); //DB
        permDo.parse(arDo.value, true);
    } else  {

This code parses the AR-DO and extracts the PERM-AR-DO but then simply drops the extracted value (permDo).

Similarly, the resulting AccessRule object contains a value accessType which is always set to 0:

    long accessType = 0;
    [...]
    AccessRule accessRule = new AccessRule(IccUtils.hexStringToBytes(certificateHash),
                                           packageName, accessType);

Moreover, inside the class AccessRule there is a comment besides the field accessType that indicates that the field is "not currently used":

    public long accessType;   // This bit is not currently used, but reserved for future use.