[automerger skipped] Merge "Fixing Keymaster documentation." into pie-vts-dev
am: 33f7970672  -s ours

Change-Id: I2b4fcba1aaac482329c43a6e4dec03d13b1bc00d
diff --git a/audio/common/all-versions/default/service/android.hardware.audio@2.0-service.rc b/audio/common/all-versions/default/service/android.hardware.audio@2.0-service.rc
index 8217b94..6e91bcc 100644
--- a/audio/common/all-versions/default/service/android.hardware.audio@2.0-service.rc
+++ b/audio/common/all-versions/default/service/android.hardware.audio@2.0-service.rc
@@ -2,7 +2,8 @@
     class hal
     user audioserver
     # media gid needed for /dev/fm (radio) and for /data/misc/media (tee)
-    group audio camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct
+    group audio camera drmrpc inet media mediadrm net_bt net_bt_admin net_bw_acct wakelock
+    capabilities BLOCK_SUSPEND
     ioprio rt 4
     writepid /dev/cpuset/foreground/tasks /dev/stune/foreground/tasks
     # audioflinger restarts itself when it loses connection with the hal
diff --git a/audio/core/4.0/vts/functional/AudioPrimaryHidlHalTest.cpp b/audio/core/4.0/vts/functional/AudioPrimaryHidlHalTest.cpp
index 761330f..0f8996f 100644
--- a/audio/core/4.0/vts/functional/AudioPrimaryHidlHalTest.cpp
+++ b/audio/core/4.0/vts/functional/AudioPrimaryHidlHalTest.cpp
@@ -106,7 +106,10 @@
 static auto okOrNotSupported = {Result::OK, Result::NOT_SUPPORTED};
 static auto okOrNotSupportedOrInvalidArgs = {Result::OK, Result::NOT_SUPPORTED,
                                              Result::INVALID_ARGUMENTS};
+static auto okOrInvalidStateOrNotSupported = {Result::OK, Result::INVALID_STATE,
+                                              Result::NOT_SUPPORTED};
 static auto invalidArgsOrNotSupported = {Result::INVALID_ARGUMENTS, Result::NOT_SUPPORTED};
+static auto invalidStateOrNotSupported = {Result::INVALID_STATE, Result::NOT_SUPPORTED};
 
 class AudioHidlTestEnvironment : public ::Environment {
    public:
@@ -949,8 +952,6 @@
 TEST_IO_STREAM(standby, "Make sure the stream can be put in stanby",
                ASSERT_OK(stream->standby()))  // can not fail
 
-static constexpr auto invalidStateOrNotSupported = {Result::INVALID_STATE, Result::NOT_SUPPORTED};
-
 TEST_IO_STREAM(startNoMmap, "Starting a mmaped stream before mapping it should fail",
                ASSERT_RESULT(invalidStateOrNotSupported, stream->start()))
 
@@ -1070,11 +1071,15 @@
 TEST_P(InputStreamTest, getCapturePosition) {
     doc::test(
         "The capture position of a non prepared stream should not be "
-        "retrievable");
+        "retrievable or 0");
     uint64_t frames;
     uint64_t time;
     ASSERT_OK(stream->getCapturePosition(returnIn(res, frames, time)));
-    ASSERT_RESULT(invalidStateOrNotSupported, res);
+    ASSERT_RESULT(okOrInvalidStateOrNotSupported, res);
+    if (res == Result::OK) {
+        ASSERT_EQ(0U, frames);
+        ASSERT_LE(0U, time);
+    }
 }
 
 TEST_P(InputStreamTest, updateSinkMetadata) {
diff --git a/camera/device/3.2/default/CameraDeviceSession.cpp b/camera/device/3.2/default/CameraDeviceSession.cpp
index 69f8535..fd785df 100644
--- a/camera/device/3.2/default/CameraDeviceSession.cpp
+++ b/camera/device/3.2/default/CameraDeviceSession.cpp
@@ -53,6 +53,7 @@
         camera3_callback_ops({&sProcessCaptureResult, &sNotify}),
         mDevice(device),
         mDeviceVersion(device->common.version),
+        mFreeBufEarly(shouldFreeBufEarly()),
         mIsAELockAvailable(false),
         mDerivePostRawSensKey(false),
         mNumPartialResults(1),
@@ -129,6 +130,10 @@
     return false;
 }
 
+bool CameraDeviceSession::shouldFreeBufEarly() {
+    return property_get_bool("ro.vendor.camera.free_buf_early", 0) == 1;
+}
+
 CameraDeviceSession::~CameraDeviceSession() {
     if (!isClosed()) {
         ALOGE("CameraDeviceSession deleted before close!");
@@ -887,6 +892,24 @@
         (*streams)[i] = &mStreamMap[id];
     }
 
+    if (mFreeBufEarly) {
+        // Remove buffers of deleted streams
+        for(auto it = mStreamMap.begin(); it != mStreamMap.end(); it++) {
+            int id = it->first;
+            bool found = false;
+            for (const auto& stream : requestedConfiguration.streams) {
+                if (id == stream.id) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                // Unmap all buffers of deleted stream
+                cleanupBuffersLocked(id);
+            }
+        }
+    }
+
     return true;
 }
 
@@ -908,7 +931,9 @@
             // Unmap all buffers of deleted stream
             // in case the configuration call succeeds and HAL
             // is able to release the corresponding resources too.
-            cleanupBuffersLocked(id);
+            if (!mFreeBufEarly) {
+                cleanupBuffersLocked(id);
+            }
             it = mStreamMap.erase(it);
         } else {
             ++it;
@@ -927,6 +952,27 @@
     mResultBatcher.setBatchedStreams(mVideoStreamIds);
 }
 
+
+void CameraDeviceSession::postProcessConfigurationFailureLocked(
+        const StreamConfiguration& requestedConfiguration) {
+    if (mFreeBufEarly) {
+        // Re-build the buf cache entry for deleted streams
+        for(auto it = mStreamMap.begin(); it != mStreamMap.end(); it++) {
+            int id = it->first;
+            bool found = false;
+            for (const auto& stream : requestedConfiguration.streams) {
+                if (id == stream.id) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                mCirculatingBuffers.emplace(id, CirculatingBuffers{});
+            }
+        }
+    }
+}
+
 Return<void> CameraDeviceSession::configureStreams(
         const StreamConfiguration& requestedConfiguration,
         ICameraDeviceSession::configureStreams_cb _hidl_cb)  {
@@ -979,6 +1025,8 @@
     // the corresponding resources of the deleted streams.
     if (ret == OK) {
         postProcessConfigurationLocked(requestedConfiguration);
+    } else {
+        postProcessConfigurationFailureLocked(requestedConfiguration);
     }
 
     if (ret == -EINVAL) {
diff --git a/camera/device/3.2/default/CameraDeviceSession.h b/camera/device/3.2/default/CameraDeviceSession.h
index af90e5a..bcee259 100644
--- a/camera/device/3.2/default/CameraDeviceSession.h
+++ b/camera/device/3.2/default/CameraDeviceSession.h
@@ -120,6 +120,8 @@
             hidl_vec<camera3_stream_t*> *streams /*out*/);
     void postProcessConfigurationLocked(const StreamConfiguration& requestedConfiguration);
 
+    void postProcessConfigurationFailureLocked(const StreamConfiguration& requestedConfiguration);
+
 protected:
 
     // protecting mClosed/mDisconnected/mInitFail
@@ -142,6 +144,7 @@
 
     camera3_device_t* mDevice;
     const uint32_t mDeviceVersion;
+    const bool mFreeBufEarly;
     bool mIsAELockAvailable;
     bool mDerivePostRawSensKey;
     uint32_t mNumPartialResults;
@@ -293,6 +296,8 @@
 
     bool initialize();
 
+    static bool shouldFreeBufEarly();
+
     Status initStatus() const;
 
     // Validate and import request's input buffer and acquire fence
diff --git a/camera/device/3.3/default/CameraDeviceSession.cpp b/camera/device/3.3/default/CameraDeviceSession.cpp
index d36e9ed..60174fb 100644
--- a/camera/device/3.3/default/CameraDeviceSession.cpp
+++ b/camera/device/3.3/default/CameraDeviceSession.cpp
@@ -92,6 +92,8 @@
     // the corresponding resources of the deleted streams.
     if (ret == OK) {
         postProcessConfigurationLocked(requestedConfiguration);
+    } else {
+        postProcessConfigurationFailureLocked(requestedConfiguration);
     }
 
     if (ret == -EINVAL) {
diff --git a/camera/device/3.4/default/CameraDeviceSession.cpp b/camera/device/3.4/default/CameraDeviceSession.cpp
index 6a18161..f2e031c 100644
--- a/camera/device/3.4/default/CameraDeviceSession.cpp
+++ b/camera/device/3.4/default/CameraDeviceSession.cpp
@@ -154,6 +154,8 @@
     // the corresponding resources of the deleted streams.
     if (ret == OK) {
         postProcessConfigurationLocked_3_4(requestedConfiguration);
+    } else {
+        postProcessConfigurationFailureLocked_3_4(requestedConfiguration);
     }
 
     if (ret == -EINVAL) {
@@ -215,6 +217,23 @@
         (*streams)[i] = &mStreamMap[id];
     }
 
+    if (mFreeBufEarly) {
+        // Remove buffers of deleted streams
+        for(auto it = mStreamMap.begin(); it != mStreamMap.end(); it++) {
+            int id = it->first;
+            bool found = false;
+            for (const auto& stream : requestedConfiguration.streams) {
+                if (id == stream.v3_2.id) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                // Unmap all buffers of deleted stream
+                cleanupBuffersLocked(id);
+            }
+        }
+    }
     return true;
 }
 
@@ -236,7 +255,9 @@
             // Unmap all buffers of deleted stream
             // in case the configuration call succeeds and HAL
             // is able to release the corresponding resources too.
-            cleanupBuffersLocked(id);
+            if (!mFreeBufEarly) {
+                cleanupBuffersLocked(id);
+            }
             it = mStreamMap.erase(it);
         } else {
             ++it;
@@ -255,6 +276,26 @@
     mResultBatcher_3_4.setBatchedStreams(mVideoStreamIds);
 }
 
+void CameraDeviceSession::postProcessConfigurationFailureLocked_3_4(
+        const StreamConfiguration& requestedConfiguration) {
+    if (mFreeBufEarly) {
+        // Re-build the buf cache entry for deleted streams
+        for(auto it = mStreamMap.begin(); it != mStreamMap.end(); it++) {
+            int id = it->first;
+            bool found = false;
+            for (const auto& stream : requestedConfiguration.streams) {
+                if (id == stream.v3_2.id) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                mCirculatingBuffers.emplace(id, CirculatingBuffers{});
+            }
+        }
+    }
+}
+
 Return<void> CameraDeviceSession::processCaptureRequest_3_4(
         const hidl_vec<V3_4::CaptureRequest>& requests,
         const hidl_vec<V3_2::BufferCache>& cachesToRemove,
diff --git a/camera/device/3.4/default/include/device_v3_4_impl/CameraDeviceSession.h b/camera/device/3.4/default/include/device_v3_4_impl/CameraDeviceSession.h
index 5d6a112..fdc8a5a 100644
--- a/camera/device/3.4/default/include/device_v3_4_impl/CameraDeviceSession.h
+++ b/camera/device/3.4/default/include/device_v3_4_impl/CameraDeviceSession.h
@@ -84,6 +84,8 @@
             camera3_stream_configuration_t *stream_list /*out*/,
             hidl_vec<camera3_stream_t*> *streams /*out*/);
     void postProcessConfigurationLocked_3_4(const StreamConfiguration& requestedConfiguration);
+    void postProcessConfigurationFailureLocked_3_4(
+            const StreamConfiguration& requestedConfiguration);
 
     Return<void> processCaptureRequest_3_4(
             const hidl_vec<V3_4::CaptureRequest>& requests,
diff --git a/camera/provider/2.4/vts/functional/VtsHalCameraProviderV2_4TargetTest.cpp b/camera/provider/2.4/vts/functional/VtsHalCameraProviderV2_4TargetTest.cpp
index c6c00d2..439333d 100644
--- a/camera/provider/2.4/vts/functional/VtsHalCameraProviderV2_4TargetTest.cpp
+++ b/camera/provider/2.4/vts/functional/VtsHalCameraProviderV2_4TargetTest.cpp
@@ -3649,6 +3649,7 @@
                                         static_cast<int32_t>(PixelFormat::IMPLEMENTATION_DEFINED)};
     uint64_t bufferId = 1;
     uint32_t frameNumber = 1;
+    float isoTol = .03f;
     ::android::hardware::hidl_vec<uint8_t> settings;
 
     for (const auto& name : cameraDeviceNames) {
@@ -3778,7 +3779,8 @@
             ASSERT_TRUE(inflightReqs[i].collectedResult.exists(ANDROID_SENSOR_SENSITIVITY));
             camera_metadata_entry_t isoResult = inflightReqs[i].collectedResult.find(
                     ANDROID_SENSOR_SENSITIVITY);
-            ASSERT_TRUE(isoResult.data.i32[0] == isoValues[i]);
+            ASSERT_TRUE(std::abs(isoResult.data.i32[0] - isoValues[i]) <=
+                        std::round(isoValues[i]*isoTol));
         }
 
         ret = session->close();
diff --git a/drm/1.0/default/DrmFactory.cpp b/drm/1.0/default/DrmFactory.cpp
index 7e5d998..05951d7 100644
--- a/drm/1.0/default/DrmFactory.cpp
+++ b/drm/1.0/default/DrmFactory.cpp
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2016 The Android Open Source Project
-` *
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
diff --git a/drm/1.0/default/LegacyPluginPath.cpp b/drm/1.0/default/LegacyPluginPath.cpp
index 369059d..d0a8f90 100644
--- a/drm/1.0/default/LegacyPluginPath.cpp
+++ b/drm/1.0/default/LegacyPluginPath.cpp
@@ -16,6 +16,8 @@
 
 #include "LegacyPluginPath.h"
 
+#include <unistd.h>
+
 #include <cutils/properties.h>
 
 namespace android {
@@ -24,12 +26,16 @@
 namespace V1_0 {
 namespace implementation {
 
+// 64-bit DRM depends on OEM libraries that aren't
+// provided for all devices. If the drm hal service
+// is running as 64-bit use the 64-bit libs, otherwise
+// use the 32-bit libs.
 const char* getDrmPluginPath() {
-    if (property_get_bool("drm.64bit.enabled", false)) {
-        return "/vendor/lib64/mediadrm";
-    } else {
-        return "/vendor/lib/mediadrm";
-    }
+#if defined(__LP64__)
+    return "/vendor/lib64/mediadrm";
+#else
+    return "/vendor/lib/mediadrm";
+#endif
 }
 
 }  // namespace implementation
diff --git a/drm/1.0/default/include/PluginLoader.h b/drm/1.0/default/include/PluginLoader.h
index f387b3c..0c45fb3 100644
--- a/drm/1.0/default/include/PluginLoader.h
+++ b/drm/1.0/default/include/PluginLoader.h
@@ -85,7 +85,10 @@
                 libraries.push(library);
                 T* result = createFactoryFunc();
                 return  result;
-           }
+            } else {
+                ALOGE("Failed to lookup symbol %s in library %s: %s",
+                        entry, path, library->lastError());
+            }
         }
         return NULL;
     }
diff --git a/gnss/1.1/vts/functional/gnss_hal_test_cases.cpp b/gnss/1.1/vts/functional/gnss_hal_test_cases.cpp
index 72e5e14..c9f840e 100644
--- a/gnss/1.1/vts/functional/gnss_hal_test_cases.cpp
+++ b/gnss/1.1/vts/functional/gnss_hal_test_cases.cpp
@@ -439,7 +439,7 @@
             EXPECT_GE(data.position.ageSeconds, 0);
         }
 
-        EXPECT_GE(data.time.timeEstimate, 1514764800000);  // Jan 01 2018 00:00:00
+        EXPECT_GE(data.time.timeEstimate, 1483228800000);  // Jan 01 2017 00:00:00 GMT.
 
         EXPECT_GT(data.time.timeUncertaintyNs, 0);
 
diff --git a/graphics/composer/2.1/utils/hwc2onfbadapter/HWC2OnFbAdapter.cpp b/graphics/composer/2.1/utils/hwc2onfbadapter/HWC2OnFbAdapter.cpp
index 7c9e651..0f50577 100644
--- a/graphics/composer/2.1/utils/hwc2onfbadapter/HWC2OnFbAdapter.cpp
+++ b/graphics/composer/2.1/utils/hwc2onfbadapter/HWC2OnFbAdapter.cpp
@@ -32,6 +32,8 @@
 #include <log/log.h>
 #include <sync/sync.h>
 
+using namespace HWC2;
+
 namespace android {
 
 namespace {
@@ -629,9 +631,10 @@
     }
 }
 
-void getCapabilitiesHook(hwc2_device_t* /*device*/, uint32_t* outCount,
-                         int32_t* /*outCapabilities*/) {
-    *outCount = 0;
+void getCapabilitiesHook(hwc2_device_t* device, uint32_t* outCount,
+                         int32_t* outCapabilities) {
+    auto& adapter = HWC2OnFbAdapter::cast(device);
+    adapter.getCapabilities(outCount, outCapabilities);
 }
 
 int closeHook(hw_device_t* device) {
@@ -656,6 +659,10 @@
     mFbInfo.xdpi_scaled = int(mFbDevice->xdpi * 1000.0f);
     mFbInfo.ydpi_scaled = int(mFbDevice->ydpi * 1000.0f);
 
+    // Present fences aren't supported, always indicate PresentFenceIsNotReliable
+    // for FB devices
+    mCapabilities.insert(Capability::PresentFenceIsNotReliable);
+
     mVsyncThread.start(0, mFbInfo.vsync_period_ns);
 }
 
@@ -791,6 +798,23 @@
     mVsyncThread.enableCallback(enable);
 }
 
+void HWC2OnFbAdapter::getCapabilities(uint32_t* outCount,
+                                      int32_t* outCapabilities) {
+    if (outCapabilities == nullptr) {
+        *outCount = mCapabilities.size();
+        return;
+    }
+
+    auto capabilityIter = mCapabilities.cbegin();
+    for (size_t written = 0; written < *outCount; ++written) {
+        if (capabilityIter == mCapabilities.cend()) {
+            return;
+        }
+        outCapabilities[written] = static_cast<int32_t>(*capabilityIter);
+        ++capabilityIter;
+    }
+}
+
 int64_t HWC2OnFbAdapter::VsyncThread::now() {
     struct timespec ts;
     clock_gettime(CLOCK_MONOTONIC, &ts);
diff --git a/graphics/composer/2.1/utils/hwc2onfbadapter/include/hwc2onfbadapter/HWC2OnFbAdapter.h b/graphics/composer/2.1/utils/hwc2onfbadapter/include/hwc2onfbadapter/HWC2OnFbAdapter.h
index d6272fd..f1f11ef 100644
--- a/graphics/composer/2.1/utils/hwc2onfbadapter/include/hwc2onfbadapter/HWC2OnFbAdapter.h
+++ b/graphics/composer/2.1/utils/hwc2onfbadapter/include/hwc2onfbadapter/HWC2OnFbAdapter.h
@@ -23,7 +23,11 @@
 #include <thread>
 #include <unordered_set>
 
+#define HWC2_INCLUDE_STRINGIFICATION
+#define HWC2_USE_CPP11
 #include <hardware/hwcomposer2.h>
+#undef HWC2_INCLUDE_STRINGIFICATION
+#undef HWC2_USE_CPP11
 
 struct framebuffer_device_t;
 
@@ -75,6 +79,7 @@
 
     void setVsyncCallback(HWC2_PFN_VSYNC callback, hwc2_callback_data_t data);
     void enableVsync(bool enable);
+    void getCapabilities(uint32_t* outCount, int32_t* outCapabilities);
 
 private:
     framebuffer_device_t* mFbDevice{nullptr};
@@ -90,6 +95,8 @@
 
     buffer_handle_t mBuffer{nullptr};
 
+    std::unordered_set<HWC2::Capability> mCapabilities;
+
     class VsyncThread {
     public:
         static int64_t now();
diff --git a/graphics/composer/2.2/default/android.hardware.graphics.composer@2.2-service.rc b/graphics/composer/2.2/default/android.hardware.graphics.composer@2.2-service.rc
index a41d902..efe6dad 100644
--- a/graphics/composer/2.2/default/android.hardware.graphics.composer@2.2-service.rc
+++ b/graphics/composer/2.2/default/android.hardware.graphics.composer@2.2-service.rc
@@ -4,3 +4,4 @@
     group graphics drmrpc
     capabilities SYS_NICE
     onrestart restart surfaceflinger
+    writepid /dev/cpuset/system-background/tasks
diff --git a/health/2.0/README b/health/2.0/README
index 11e6a7a..dfd965a 100644
--- a/health/2.0/README
+++ b/health/2.0/README
@@ -6,12 +6,7 @@
 1. If the device does not have a vendor-specific libhealthd AND does not
    implement storage-related APIs, just do the following:
 
-    1.1 (recommended) To remove healthd from the build,
-        PRODUCT_PACKAGES += android.hardware.health@2.0-service.override
-        DEVICE_FRAMEWORK_MANIFEST_FILE += \
-            system/libhidl/vintfdata/manifest_healthd_exclude.xml
-    1.2 To keep healthd in the build,
-        PRODUCT_PACKAGES += android.hardware.health@2.0-service
+    PRODUCT_PACKAGES += android.hardware.health@2.0-service
 
    Otherwise, continue to Step 2.
 
diff --git a/keymaster/4.0/support/Keymaster.cpp b/keymaster/4.0/support/Keymaster.cpp
index 444298b..9325cc0 100644
--- a/keymaster/4.0/support/Keymaster.cpp
+++ b/keymaster/4.0/support/Keymaster.cpp
@@ -164,10 +164,10 @@
                     sharingCheck = curSharingCheck;
                     firstKeymaster = false;
                 }
-                CHECK(curSharingCheck == sharingCheck)
-                    << "HMAC computation failed for " << *keymaster  //
-                    << " Expected: " << sharingCheck                 //
-                    << " got: " << curSharingCheck;
+                if (curSharingCheck != sharingCheck)
+                    LOG(WARNING) << "HMAC computation failed for " << *keymaster  //
+                                 << " Expected: " << sharingCheck                 //
+                                 << " got: " << curSharingCheck;
             });
         CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
                          << " error: " << rc.description();
diff --git a/keymaster/4.0/support/attestation_record.cpp b/keymaster/4.0/support/attestation_record.cpp
index 8f37d9c..6de0c1c 100644
--- a/keymaster/4.0/support/attestation_record.cpp
+++ b/keymaster/4.0/support/attestation_record.cpp
@@ -49,12 +49,14 @@
     ASN1_OCTET_STRING* verified_boot_key;
     ASN1_BOOLEAN* device_locked;
     ASN1_ENUMERATED* verified_boot_state;
+    ASN1_OCTET_STRING* verified_boot_hash;
 } KM_ROOT_OF_TRUST;
 
 ASN1_SEQUENCE(KM_ROOT_OF_TRUST) = {
     ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_key, ASN1_OCTET_STRING),
     ASN1_SIMPLE(KM_ROOT_OF_TRUST, device_locked, ASN1_BOOLEAN),
     ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_state, ASN1_ENUMERATED),
+    ASN1_SIMPLE(KM_ROOT_OF_TRUST, verified_boot_hash, ASN1_OCTET_STRING),
 } ASN1_SEQUENCE_END(KM_ROOT_OF_TRUST);
 IMPLEMENT_ASN1_FUNCTIONS(KM_ROOT_OF_TRUST);
 
@@ -77,11 +79,16 @@
     ASN1_OCTET_STRING* application_id;
     ASN1_INTEGER* creation_date_time;
     ASN1_INTEGER* origin;
-    ASN1_NULL* rollback_resistant;
+    ASN1_NULL* rollback_resistance;
     KM_ROOT_OF_TRUST* root_of_trust;
     ASN1_INTEGER* os_version;
     ASN1_INTEGER* os_patchlevel;
     ASN1_OCTET_STRING* attestation_application_id;
+    ASN1_NULL* trusted_user_presence_required;
+    ASN1_NULL* trusted_confirmation_required;
+    ASN1_NULL* unlocked_device_required;
+    ASN1_INTEGER* vendor_patchlevel;
+    ASN1_INTEGER* boot_patchlevel;
 } KM_AUTH_LIST;
 
 ASN1_SEQUENCE(KM_AUTH_LIST) = {
@@ -93,6 +100,7 @@
     ASN1_EXP_OPT(KM_AUTH_LIST, ec_curve, ASN1_INTEGER, TAG_EC_CURVE.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, rsa_public_exponent, ASN1_INTEGER,
                  TAG_RSA_PUBLIC_EXPONENT.maskedTag()),
+    ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, active_date_time, ASN1_INTEGER, TAG_ACTIVE_DATETIME.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, origination_expire_date_time, ASN1_INTEGER,
                  TAG_ORIGINATION_EXPIRE_DATETIME.maskedTag()),
@@ -102,13 +110,19 @@
     ASN1_EXP_OPT(KM_AUTH_LIST, user_auth_type, ASN1_INTEGER, TAG_USER_AUTH_TYPE.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, auth_timeout, ASN1_INTEGER, TAG_AUTH_TIMEOUT.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, allow_while_on_body, ASN1_NULL, TAG_ALLOW_WHILE_ON_BODY.maskedTag()),
-    ASN1_EXP_OPT(KM_AUTH_LIST, application_id, ASN1_OCTET_STRING, TAG_APPLICATION_ID.maskedTag()),
+    ASN1_EXP_OPT(KM_AUTH_LIST, trusted_user_presence_required, ASN1_NULL,
+                 TAG_TRUSTED_USER_PRESENCE_REQUIRED.maskedTag()),
+    ASN1_EXP_OPT(KM_AUTH_LIST, trusted_confirmation_required, ASN1_NULL,
+                 TAG_TRUSTED_CONFIRMATION_REQUIRED.maskedTag()),
+    ASN1_EXP_OPT(KM_AUTH_LIST, unlocked_device_required, ASN1_NULL,
+                 TAG_UNLOCKED_DEVICE_REQUIRED.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER, TAG_CREATION_DATETIME.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.maskedTag()),
-    ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistant, ASN1_NULL, TAG_ROLLBACK_RESISTANCE.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, os_patchlevel, ASN1_INTEGER, TAG_OS_PATCHLEVEL.maskedTag()),
+    ASN1_EXP_OPT(KM_AUTH_LIST, vendor_patchlevel, ASN1_INTEGER, TAG_VENDOR_PATCHLEVEL.maskedTag()),
+    ASN1_EXP_OPT(KM_AUTH_LIST, boot_patchlevel, ASN1_INTEGER, TAG_BOOT_PATCHLEVEL.maskedTag()),
     ASN1_EXP_OPT(KM_AUTH_LIST, attestation_application_id, ASN1_OCTET_STRING,
                  TAG_ATTESTATION_APPLICATION_ID.maskedTag()),
 } ASN1_SEQUENCE_END(KM_AUTH_LIST);
@@ -237,11 +251,18 @@
     copyAuthTag(record->os_version, TAG_OS_VERSION, auth_list);
     copyAuthTag(record->padding, TAG_PADDING, auth_list);
     copyAuthTag(record->purpose, TAG_PURPOSE, auth_list);
-    copyAuthTag(record->rollback_resistant, TAG_ROLLBACK_RESISTANCE, auth_list);
+    copyAuthTag(record->rollback_resistance, TAG_ROLLBACK_RESISTANCE, auth_list);
     copyAuthTag(record->rsa_public_exponent, TAG_RSA_PUBLIC_EXPONENT, auth_list);
     copyAuthTag(record->usage_expire_date_time, TAG_USAGE_EXPIRE_DATETIME, auth_list);
     copyAuthTag(record->user_auth_type, TAG_USER_AUTH_TYPE, auth_list);
     copyAuthTag(record->attestation_application_id, TAG_ATTESTATION_APPLICATION_ID, auth_list);
+    copyAuthTag(record->vendor_patchlevel, TAG_VENDOR_PATCHLEVEL, auth_list);
+    copyAuthTag(record->boot_patchlevel, TAG_BOOT_PATCHLEVEL, auth_list);
+    copyAuthTag(record->trusted_user_presence_required, TAG_TRUSTED_USER_PRESENCE_REQUIRED,
+                auth_list);
+    copyAuthTag(record->trusted_confirmation_required, TAG_TRUSTED_CONFIRMATION_REQUIRED,
+                auth_list);
+    copyAuthTag(record->unlocked_device_required, TAG_UNLOCKED_DEVICE_REQUIRED, auth_list);
 
     return ErrorCode::OK;
 }
diff --git a/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h b/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h
index 74be343..6e2b691 100644
--- a/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h
+++ b/keymaster/4.0/support/include/keymasterV4_0/key_param_output.h
@@ -53,6 +53,10 @@
     return os << toString(value);
 }
 
+inline ::std::ostream& operator<<(::std::ostream& os, SecurityLevel value) {
+    return os << toString(value);
+}
+
 template <typename ValueT>
 ::std::ostream& operator<<(::std::ostream& os, const NullOr<ValueT>& value) {
     if (!value.isOk()) {
diff --git a/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h b/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h
index ce213bc..9e7d252 100644
--- a/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h
+++ b/keymaster/4.0/support/include/keymasterV4_0/keymaster_tags.h
@@ -116,6 +116,7 @@
 DECLARE_TYPED_TAG(BLOB_USAGE_REQUIREMENTS);
 DECLARE_TYPED_TAG(BLOCK_MODE);
 DECLARE_TYPED_TAG(BOOTLOADER_ONLY);
+DECLARE_TYPED_TAG(BOOT_PATCHLEVEL);
 DECLARE_TYPED_TAG(CALLER_NONCE);
 DECLARE_TYPED_TAG(CONFIRMATION_TOKEN);
 DECLARE_TYPED_TAG(CREATION_DATETIME);
@@ -141,12 +142,14 @@
 DECLARE_TYPED_TAG(ROOT_OF_TRUST);
 DECLARE_TYPED_TAG(RSA_PUBLIC_EXPONENT);
 DECLARE_TYPED_TAG(TRUSTED_CONFIRMATION_REQUIRED);
+DECLARE_TYPED_TAG(TRUSTED_USER_PRESENCE_REQUIRED);
 DECLARE_TYPED_TAG(UNIQUE_ID);
 DECLARE_TYPED_TAG(UNLOCKED_DEVICE_REQUIRED);
 DECLARE_TYPED_TAG(USAGE_EXPIRE_DATETIME);
 DECLARE_TYPED_TAG(USER_AUTH_TYPE);
 DECLARE_TYPED_TAG(USER_ID);
 DECLARE_TYPED_TAG(USER_SECURE_ID);
+DECLARE_TYPED_TAG(VENDOR_PATCHLEVEL);
 
 template <typename... Elems>
 struct MetaList {};
@@ -163,7 +166,8 @@
              TAG_OS_VERSION_t, TAG_OS_PATCHLEVEL_t, TAG_UNIQUE_ID_t, TAG_ATTESTATION_CHALLENGE_t,
              TAG_ATTESTATION_APPLICATION_ID_t, TAG_RESET_SINCE_ID_ROTATION_t, TAG_PURPOSE_t,
              TAG_ALGORITHM_t, TAG_BLOCK_MODE_t, TAG_DIGEST_t, TAG_PADDING_t,
-             TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t>;
+             TAG_BLOB_USAGE_REQUIREMENTS_t, TAG_ORIGIN_t, TAG_USER_AUTH_TYPE_t, TAG_EC_CURVE_t,
+             TAG_BOOT_PATCHLEVEL_t, TAG_VENDOR_PATCHLEVEL_t, TAG_TRUSTED_USER_PRESENCE_REQUIRED_t>;
 
 template <typename TypedTagType>
 struct TypedTag2ValueType;
diff --git a/keymaster/4.0/vts/functional/VerificationTokenTest.cpp b/keymaster/4.0/vts/functional/VerificationTokenTest.cpp
index 6afba0c..3876b16 100644
--- a/keymaster/4.0/vts/functional/VerificationTokenTest.cpp
+++ b/keymaster/4.0/vts/functional/VerificationTokenTest.cpp
@@ -111,8 +111,9 @@
 
     EXPECT_GE(host_time_delta, time_to_sleep)
         << "We slept for " << time_to_sleep << " ms, the clock must have advanced by that much";
-    EXPECT_LE(host_time_delta, time_to_sleep + 10)
-        << "The verifyAuthorization call took more than 10 ms?  That's awful!";
+    EXPECT_LE(host_time_delta, time_to_sleep + 20)
+        << "The verifyAuthorization call took " << (host_time_delta - time_to_sleep)
+        << " ms?  That's awful!";
 
     auto km_time_delta = result2.token.timestamp - result1.token.timestamp;
 
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index 450b3eb..3919a69 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -182,7 +182,7 @@
 }
 
 bool verify_chain(const hidl_vec<hidl_vec<uint8_t>>& chain) {
-    for (size_t i = 0; i < chain.size() - 1; ++i) {
+    for (size_t i = 0; i < chain.size(); ++i) {
         X509_Ptr key_cert(parse_cert_blob(chain[i]));
         X509_Ptr signing_cert;
         if (i < chain.size() - 1) {
@@ -198,7 +198,8 @@
         if (!signing_pubkey.get()) return false;
 
         EXPECT_EQ(1, X509_verify(key_cert.get(), signing_pubkey.get()))
-            << "Verification of certificate " << i << " failed";
+            << "Verification of certificate " << i << " failed "
+            << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL);
 
         char* cert_issuer =  //
             X509_NAME_oneline(X509_get_issuer_name(key_cert.get()), nullptr, 0);
@@ -246,8 +247,7 @@
     // Attestations don't contain everything in key authorization lists, so we need to filter
     // the key lists to produce the lists that we expect to match the attestations.
     auto tag_list = {
-        Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS,
-        Tag::EC_CURVE /* Tag::EC_CURVE will be included by KM2 implementations */,
+        Tag::INCLUDE_UNIQUE_ID, Tag::BLOB_USAGE_REQUIREMENTS, Tag::EC_CURVE, Tag::HARDWARE_TYPE,
     };
     return std::find(tag_list.begin(), tag_list.end(), entry.tag) != tag_list.end();
 }
@@ -271,7 +271,7 @@
 
 bool verify_attestation_record(const string& challenge, const string& app_id,
                                AuthorizationSet expected_sw_enforced,
-                               AuthorizationSet expected_tee_enforced,
+                               AuthorizationSet expected_tee_enforced, SecurityLevel security_level,
                                const hidl_vec<uint8_t>& attestation_cert) {
     X509_Ptr cert(parse_cert_blob(attestation_cert));
     EXPECT_TRUE(!!cert.get());
@@ -290,29 +290,27 @@
     HidlBuf att_challenge;
     HidlBuf att_unique_id;
     HidlBuf att_app_id;
-    EXPECT_EQ(ErrorCode::OK,
-              parse_attestation_record(attest_rec->data,                 //
-                                       attest_rec->length,               //
-                                       &att_attestation_version,         //
-                                       &att_attestation_security_level,  //
-                                       &att_keymaster_version,           //
-                                       &att_keymaster_security_level,    //
-                                       &att_challenge,                   //
-                                       &att_sw_enforced,                 //
-                                       &att_tee_enforced,                //
-                                       &att_unique_id));
 
-    EXPECT_TRUE(att_attestation_version == 1 || att_attestation_version == 2);
+    auto error = parse_attestation_record(attest_rec->data,                 //
+                                          attest_rec->length,               //
+                                          &att_attestation_version,         //
+                                          &att_attestation_security_level,  //
+                                          &att_keymaster_version,           //
+                                          &att_keymaster_security_level,    //
+                                          &att_challenge,                   //
+                                          &att_sw_enforced,                 //
+                                          &att_tee_enforced,                //
+                                          &att_unique_id);
+    EXPECT_EQ(ErrorCode::OK, error);
+    if (error != ErrorCode::OK) return false;
+
+    EXPECT_TRUE(att_attestation_version == 3);
 
     expected_sw_enforced.push_back(TAG_ATTESTATION_APPLICATION_ID, HidlBuf(app_id));
 
-    EXPECT_GE(att_keymaster_version, 3U);
-    EXPECT_EQ(KeymasterHidlTest::IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT
-                                            : SecurityLevel::SOFTWARE,
-              att_keymaster_security_level);
-    EXPECT_EQ(KeymasterHidlTest::IsSecure() ? SecurityLevel::TRUSTED_ENVIRONMENT
-                                            : SecurityLevel::SOFTWARE,
-              att_attestation_security_level);
+    EXPECT_EQ(att_keymaster_version, 4U);
+    EXPECT_EQ(security_level, att_keymaster_security_level);
+    EXPECT_EQ(security_level, att_attestation_security_level);
 
     EXPECT_EQ(challenge.length(), att_challenge.size());
     EXPECT_EQ(0, memcmp(challenge.data(), att_challenge.data(), challenge.length()));
@@ -538,10 +536,16 @@
  * Verifies that keymaster does not support any curve designated as unsupported.
  */
 TEST_F(NewKeyGenerationTest, EcdsaAllValidCurves) {
+    Digest digest;
+    if (SecLevel() == SecurityLevel::STRONGBOX) {
+        digest = Digest::SHA_2_256;
+    } else {
+        digest = Digest::SHA_2_512;
+    }
     for (auto curve : ValidCurves()) {
         EXPECT_EQ(
             ErrorCode::OK,
-            GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(Digest::SHA_2_512)))
+            GenerateKey(AuthorizationSetBuilder().EcdsaSigningKey(curve).Digest(digest)))
             << "Failed to generate key on curve: " << curve;
         CheckCharacteristics(key_blob_, key_characteristics_);
         CheckedDeleteKey();
@@ -831,6 +835,7 @@
  * 1024-bit key.
  */
 TEST_F(SigningOperationsTest, RsaPssSha512TooSmallKey) {
+    if (SecLevel() == SecurityLevel::STRONGBOX) return;
     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
                                              .RsaSigningKey(1024, 65537)
                                              .Digest(Digest::SHA_2_512)
@@ -1188,10 +1193,12 @@
         0xbe, 0xe8, 0x94, 0x26, 0x74, 0x27, 0x88, 0x59, 0xe1, 0x32, 0x92, 0xfb,
     };
 
-    CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
-    CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
-    CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
+    if (SecLevel() != SecurityLevel::STRONGBOX) {
+        CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
+        CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
+        CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
+    }
 }
 
 /*
@@ -1220,10 +1227,12 @@
         0x1d, 0x41, 0x79, 0xbc, 0x89, 0x1d, 0x87, 0xa6,
     };
 
-    CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
-    CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
-    CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
+    if (SecLevel() != SecurityLevel::STRONGBOX) {
+        CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
+        CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
+        CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
+    }
 }
 
 /*
@@ -1258,10 +1267,12 @@
         0xf6, 0x3f, 0x0a, 0xec, 0x8b, 0x91, 0x5a, 0x98, 0x5d, 0x78, 0x65, 0x98,
     };
 
-    CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
-    CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
-    CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
+    if (SecLevel() != SecurityLevel::STRONGBOX) {
+        CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
+        CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
+        CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
+    }
 }
 
 /*
@@ -1299,10 +1310,12 @@
         0x6d, 0xe0, 0x44, 0x60, 0x65, 0xc9, 0x74, 0x40, 0xfa, 0x8c, 0x6a, 0x58,
     };
 
-    CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
     CheckHmacTestVector(key, message, Digest::SHA_2_256, make_string(sha_256_expected));
-    CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
-    CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
+    if (SecLevel() != SecurityLevel::STRONGBOX) {
+        CheckHmacTestVector(key, message, Digest::SHA_2_224, make_string(sha_224_expected));
+        CheckHmacTestVector(key, message, Digest::SHA_2_384, make_string(sha_384_expected));
+        CheckHmacTestVector(key, message, Digest::SHA_2_512, make_string(sha_512_expected));
+    }
 }
 
 typedef KeymasterHidlTest VerificationOperationsTest;
@@ -1514,7 +1527,7 @@
                             .Authorization(TAG_NO_AUTH_REQUIRED)
                             .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
                             .Authorization(TAG_PURPOSE, KeyPurpose::SIGN)
-                            .Digest(Digest::SHA1)
+                            .Digest(Digest::SHA_2_256)
                             .Authorization(TAG_MIN_MAC_LENGTH, 160),
                         KeyFormat::RAW, key_material, &signing_key, &signing_key_chars));
     EXPECT_EQ(ErrorCode::OK,
@@ -1522,24 +1535,24 @@
                             .Authorization(TAG_NO_AUTH_REQUIRED)
                             .Authorization(TAG_ALGORITHM, Algorithm::HMAC)
                             .Authorization(TAG_PURPOSE, KeyPurpose::VERIFY)
-                            .Digest(Digest::SHA1)
+                            .Digest(Digest::SHA_2_256)
                             .Authorization(TAG_MIN_MAC_LENGTH, 160),
                         KeyFormat::RAW, key_material, &verification_key, &verification_key_chars));
 
     string message = "This is a message.";
     string signature = SignMessage(
         signing_key, message,
-        AuthorizationSetBuilder().Digest(Digest::SHA1).Authorization(TAG_MAC_LENGTH, 160));
+        AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Authorization(TAG_MAC_LENGTH, 160));
 
     // Signing key should not work.
     AuthorizationSet out_params;
     EXPECT_EQ(ErrorCode::INCOMPATIBLE_PURPOSE,
-              Begin(KeyPurpose::VERIFY, signing_key, AuthorizationSetBuilder().Digest(Digest::SHA1),
+              Begin(KeyPurpose::VERIFY, signing_key, AuthorizationSetBuilder().Digest(Digest::SHA_2_256),
                     &out_params, &op_handle_));
 
     // Verification key should work.
     VerifyMessage(verification_key, message, signature,
-                  AuthorizationSetBuilder().Digest(Digest::SHA1));
+                  AuthorizationSetBuilder().Digest(Digest::SHA_2_256));
 
     CheckedDeleteKey(&signing_key);
     CheckedDeleteKey(&verification_key);
@@ -2143,11 +2156,13 @@
  * different digest than was used to encrypt.
  */
 TEST_F(EncryptionOperationsTest, RsaOaepDecryptWithWrongDigest) {
+    if (SecLevel() == SecurityLevel::STRONGBOX) return;
+
     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
                                              .Authorization(TAG_NO_AUTH_REQUIRED)
                                              .RsaEncryptionKey(1024, 65537)
                                              .Padding(PaddingMode::RSA_OAEP)
-                                             .Digest(Digest::SHA_2_256, Digest::SHA_2_224)));
+                                             .Digest(Digest::SHA_2_224, Digest::SHA_2_256)));
     string message = "Hello World!";
     string ciphertext = EncryptMessage(
         message,
@@ -2173,13 +2188,13 @@
                                              .Authorization(TAG_NO_AUTH_REQUIRED)
                                              .RsaEncryptionKey(1024, 65537)
                                              .Padding(PaddingMode::RSA_OAEP)
-                                             .Digest(Digest::SHA1)));
-    constexpr size_t digest_size = 160 /* SHA1 */ / 8;
+                                             .Digest(Digest::SHA_2_256)));
+    constexpr size_t digest_size = 256 /* SHA_2_256 */ / 8;
     constexpr size_t oaep_overhead = 2 * digest_size + 2;
     string message(1024 / 8 - oaep_overhead + 1, 'a');
     EXPECT_EQ(ErrorCode::OK,
               Begin(KeyPurpose::ENCRYPT,
-                    AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::SHA1)));
+                    AuthorizationSetBuilder().Padding(PaddingMode::RSA_OAEP).Digest(Digest::SHA_2_256)));
     string result;
     EXPECT_EQ(ErrorCode::INVALID_ARGUMENT, Finish(message, &result));
     EXPECT_EQ(0U, result.size());
@@ -3008,6 +3023,7 @@
  * Verifies that AES GCM mode works when provided additional authenticated data in multiple chunks.
  */
 TEST_F(EncryptionOperationsTest, AesGcmMultiPartAad) {
+    const size_t tag_bits = 128;
     ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder()
                                              .Authorization(TAG_NO_AUTH_REQUIRED)
                                              .AesEncryptionKey(128)
@@ -3019,7 +3035,7 @@
     auto begin_params = AuthorizationSetBuilder()
                             .BlockMode(BlockMode::GCM)
                             .Padding(PaddingMode::NONE)
-                            .Authorization(TAG_MAC_LENGTH, 128);
+                            .Authorization(TAG_MAC_LENGTH, tag_bits);
     AuthorizationSet begin_out_params;
 
     auto update_params =
@@ -3041,10 +3057,11 @@
     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params,
                                     &ciphertext, &input_consumed));
     EXPECT_EQ(message.size(), input_consumed);
-    EXPECT_EQ(message.size(), ciphertext.size());
     EXPECT_TRUE(update_out_params.empty());
 
     EXPECT_EQ(ErrorCode::OK, Finish("" /* input */, &ciphertext));
+    // Expect 128-bit (16-byte) tag appended to ciphertext.
+    EXPECT_EQ(message.size() + (tag_bits >> 3), ciphertext.size());
 
     // Grab nonce.
     begin_params.push_back(begin_out_params);
@@ -3100,7 +3117,6 @@
     EXPECT_EQ(ErrorCode::OK, Update(op_handle_, update_params, message, &update_out_params,
                                     &ciphertext, &input_consumed));
     EXPECT_EQ(message.size(), input_consumed);
-    EXPECT_EQ(message.size(), ciphertext.size());
     EXPECT_TRUE(update_out_params.empty());
 
     // More AAD
@@ -3827,7 +3843,7 @@
     EXPECT_TRUE(verify_attestation_record("challenge", "foo",                     //
                                           key_characteristics_.softwareEnforced,  //
                                           key_characteristics_.hardwareEnforced,  //
-                                          cert_chain[0]));
+                                          SecLevel(), cert_chain[0]));
 }
 
 /*
@@ -3874,7 +3890,7 @@
     EXPECT_TRUE(verify_attestation_record("challenge", "foo",                     //
                                           key_characteristics_.softwareEnforced,  //
                                           key_characteristics_.hardwareEnforced,  //
-                                          cert_chain[0]));
+                                          SecLevel(), cert_chain[0]));
 }
 
 /*
diff --git a/radio/1.0/vts/functional/radio_hidl_hal_misc.cpp b/radio/1.0/vts/functional/radio_hidl_hal_misc.cpp
index 24d9944..3499762 100644
--- a/radio/1.0/vts/functional/radio_hidl_hal_misc.cpp
+++ b/radio/1.0/vts/functional/radio_hidl_hal_misc.cpp
@@ -779,20 +779,27 @@
                                      {RadioError::NONE, RadioError::REQUEST_NOT_SUPPORTED}));
     }
 
-    /* Setting to carrier restriction needs some time */
-    updateSimCardStatus();
-    auto startTime = std::chrono::system_clock::now();
-    while (cardStatus.cardState != CardState::RESTRICTED &&
-           std::chrono::duration_cast<chrono::seconds>(std::chrono::system_clock::now() - startTime)
-                   .count() < 10) {
-        /* Set 2 seconds as interval to check card status */
-        sleep(2);
+    if (radioRsp->rspInfo.error == RadioError::NONE) {
+        /* Setting to carrier restriction needs some time */
         updateSimCardStatus();
+        auto startTime = std::chrono::system_clock::now();
+        while (cardStatus.cardState != CardState::RESTRICTED &&
+               std::chrono::duration_cast<chrono::seconds>(std::chrono::system_clock::now() -
+                                                           startTime)
+                       .count() < 10) {
+            /* Set 2 seconds as interval to check card status */
+            sleep(2);
+            updateSimCardStatus();
+        }
+        EXPECT_EQ(CardState::RESTRICTED, cardStatus.cardState);
     }
-    EXPECT_EQ(CardState::RESTRICTED, cardStatus.cardState);
     sleep(10);
 
-    /* Reset back to no carrier restriction */
+    /** 
+     * Another test case of the API to cover to allow carrier.
+     * If the API is supported, this is also used to reset to no carrier restriction
+     * status for cardStatus. 
+     */
     memset(&carriers, 0, sizeof(carriers));
     carriers.allowedCarriers.resize(0);
     carriers.excludedCarriers.resize(0);
@@ -808,18 +815,21 @@
                                      {RadioError::NONE, RadioError::REQUEST_NOT_SUPPORTED}));
     }
 
-    /* Resetting back to no carrier restriction needs some time */
-    updateSimCardStatus();
-    startTime = std::chrono::system_clock::now();
-    while (cardStatus.cardState == CardState::RESTRICTED &&
-           std::chrono::duration_cast<chrono::seconds>(std::chrono::system_clock::now() - startTime)
-                   .count() < 10) {
-        /* Set 2 seconds as interval to check card status */
-        sleep(2);
+    if (radioRsp->rspInfo.error == RadioError::NONE) {
+        /* Resetting back to no carrier restriction needs some time */
         updateSimCardStatus();
+        auto startTime = std::chrono::system_clock::now();
+        while (cardStatus.cardState == CardState::RESTRICTED &&
+               std::chrono::duration_cast<chrono::seconds>(std::chrono::system_clock::now() -
+                                                           startTime)
+                       .count() < 10) {
+            /* Set 2 seconds as interval to check card status */
+            sleep(2);
+            updateSimCardStatus();
+        }
+        EXPECT_NE(CardState::RESTRICTED, cardStatus.cardState);
+        sleep(10);
     }
-    EXPECT_NE(CardState::RESTRICTED, cardStatus.cardState);
-    sleep(10);
 }
 
 /*