Relax requirement for DICE in keymint
It turns out "mid-tier" chips are based on older silicon/ROM that
cannot support DICE. OEMs are pairing these parts with an SE and
enabling StrongBox. This means the old requirement cannot be satisfied.
Instead of requiring DICE when StrongBox is enabled, we look for pVM
support (which already requires DICE).
Bug: 401663739
Bug: 402031644
Bug: 378683581
Test: atest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:372b3e18c5edc829306cc03b693f1cbb07f9ec87)
Merged-In: I5fb7617aff8b219e29eb741f7c520a38ece70532
Change-Id: I5fb7617aff8b219e29eb741f7c520a38ece70532
diff --git a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index 0696ada..ccc9f7c 100644
--- a/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/rkp/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -274,15 +274,15 @@
*/
// @VsrTest = 3.10-015
// @VsrTest = 3.10-018.001
-TEST(NonParameterizedTests, requireDiceOnDefaultInstanceIfStrongboxPresent) {
+TEST(NonParameterizedTests, requireDiceOnDefaultInstanceIfProtectedVmSupported) {
int vendor_api_level = get_vendor_api_level();
if (vendor_api_level < __ANDROID_API_V__) {
GTEST_SKIP() << "Applies only to vendor API level >= 202404, but this device is: "
<< vendor_api_level;
}
- if (!AServiceManager_isDeclared(KEYMINT_STRONGBOX_INSTANCE_NAME.c_str())) {
- GTEST_SKIP() << "Strongbox is not present on this device.";
+ if (!::android::base::GetBoolProperty("ro.boot.hypervisor.protected_vm.supported", false)) {
+ GTEST_SKIP() << "DICE is only required when protected VMs are supported";
}
auto rpc = getHandle<IRemotelyProvisionedComponent>(DEFAULT_INSTANCE_NAME);