diff --git a/libwvdrmengine/cdm/core/src/license_protocol.proto b/libwvdrmengine/cdm/core/src/license_protocol.proto
index eaf2a45e..1ad2ce1a 100644
--- a/libwvdrmengine/cdm/core/src/license_protocol.proto
+++ b/libwvdrmengine/cdm/core/src/license_protocol.proto
@@ -532,6 +532,14 @@ message ProvisioningRequest {
     // Serialized, encrypted session keys.  Required.
     optional bytes encrypted_session_keys = 2;
   }
+  // This message contains the custom serialized message for OTA provisioning
+  // using Android Attestation and a device id as authentication.
+  message AndroidAttestationOtaKeyboxRequest {
+    // The request contains custom serialized and signed data for the
+    // Android Attestation OTA request.
+    optional bytes ota_request = 1;
+  }
+
   oneof clear_or_encrypted_client_id {
     // Device root of trust and other client identification. Required.
     ClientIdentification client_id = 1;
@@ -555,6 +563,8 @@ message ProvisioningRequest {
   // SessionKeys encrypted using a service cert public key.
   // Required for keybox provisioning.
   optional EncryptedSessionKeys encrypted_session_keys = 8;
+  // The custom request for Android Attestation OTA.
+  optional AndroidAttestationOtaKeyboxRequest android_ota_keybox_request = 9;
 }
 
 // Provisioning response sent by the provisioning server to client devices.
@@ -579,6 +589,14 @@ message ProvisioningResponse {
     // Devices in this series have been revoked. Provisioning is not possible.
     REVOKED_DEVICE_SERIES = 2;
   }
+  // This message contains the custom response for Android Attestation OTA
+  // provisioning which uses the Android Attestation keybox and a device id
+  // from the chip set.
+  message AndroidAttestationOtaKeyboxResponse {
+    // The response contains custom serialized and signed data for the
+    // Android Attestation OTA keybox provisioning.
+    optional bytes ota_response = 1;
+  }
 
   // AES-128 encrypted device private RSA key. PKCS#1 ASN.1 DER-encoded.
   // Required. For X.509 certificates, the private RSA key may also include
@@ -603,6 +621,9 @@ message ProvisioningResponse {
   // than |status| may be empty and should be ignored if the |status|
   // is present and not NO_ERROR
   optional ProvisioningStatus status = 7;
+  // The Android Attestation OTA response. Only populated if the request
+  // was an Android Attestation OTA request.
+  optional AndroidAttestationOtaKeyboxResponse android_ota_keybox_response = 8;
 }
 
 // Protocol-specific context data used to hold the state of the server in
@@ -654,6 +675,8 @@ message SignedProvisioningMessage {
     PROVISIONING_20 = 2;              // Keybox factory-provisioned devices.
     PROVISIONING_30 = 3;     // OEM certificate factory-provisioned devices.
     ARCPP_PROVISIONING = 4;  // ChromeOS/Arc++ devices.
+    // Android-Attestation-based OTA keyboxes.
+    ANDROID_ATTESTATION_KEYBOX_OTA = 6;
     INTEL_SIGMA_101 = 101;   // Intel Sigma 1.0.1 protocol.
   }