commit 3a4a3a95b82df6e9c7449d7ea2676b7d13fbaf58
author Shawn Willden <swillden@google.com> Wed Feb 22 14:15:34 2023 -0700
committer Shawn Willden <swillden@google.com> Wed Feb 22 16:06:19 2023 -0700
tree 93684229a947d4c95b6af06079c12ca14d171eef
parent efd4cf71e57a4e7a0a5eb403c67fae50f60d917b

Correct AttestKey test that checks Qualcomm's SPU waiver.

The test exempted KeyMint on the affected chips from having to implement
ATTEST_KEY if they have StrongBox in all Android releases from Android S
onwards, but the waiver was given only for Android S and T.  This CL
changes the test to reinstate the requirement after Android T.

Test: VtsAidlKeyMintTargetTest
Change-Id: I8481ae31de34aae220af7e7188632edcc2d391f0

security/keymint/aidl/vts/functional/AttestKeyTest.cpp

diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
index cdcaaf3..8027dce 100644
--- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
+++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp
@@ -142,11 +142,14 @@
         return false;
     }
 
-    // Check if chipset has received a waiver allowing it to be launched with
-    // Android S (or later) with Keymaster 4.0 in StrongBox
+    // Check if chipset has received a waiver allowing it to be launched with Android S or T with
+    // Keymaster 4.0 in StrongBox.
     bool is_chipset_allowed_km4_strongbox(void) const {
         std::array<char, PROPERTY_VALUE_MAX> buffer;
 
+        const int32_t first_api_level = property_get_int32("ro.board.first_api_level", 0);
+        if (first_api_level <= 0 || first_api_level > __ANDROID_API_T__) return false;
+
         auto res = property_get("ro.vendor.qti.soc_model", buffer.data(), nullptr);
         if (res <= 0) return false;