Merge "AesInvalidKeySize skip 192 on SB devices" into sc-dev am: f0394173a4
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/15596426
Change-Id: Ic062d555736fef27f8ede837e109b50ac9f86efe
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index 476eed8..93fb19d 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -940,7 +940,11 @@
* UNSUPPORTED_KEY_SIZE.
*/
TEST_P(NewKeyGenerationTest, AesInvalidKeySize) {
+ int32_t firstApiLevel = property_get_int32("ro.board.first_api_level", 0);
for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
+ if (key_size == 192 && SecLevel() == SecurityLevel::STRONGBOX && firstApiLevel < 31) {
+ continue;
+ }
ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index 2241735..4e81e71 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -96,7 +96,8 @@
*
* o AES
*
- * - 128 and 256-bit keys
+ * - TRUSTED_ENVIRONMENT IKeyMintDevices must support 128, 192 and 256-bit keys.
+ * STRONGBOX IKeyMintDevices must only support 128 and 256-bit keys.
* - CBC, CTR, ECB and GCM modes. The GCM mode must not allow the use of tags smaller than 96
* bits or nonce lengths other than 96 bits.
* - CBC and ECB modes must support unpadded and PKCS7 padding modes. With no padding CBC and