Allow RKP-only devices to pass keymint VTS

Add test paths for HALs that are RKP-only so that they may pass tests.

Fix up a few tests that were just being skipped for RKP-only HALs.

Test: ran VTS against cuttlefish with no factory key
Bug: 329409739
Change-Id: I5400874dd2f9885c061970a30ea44985353d23ed
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 3bcdd8f..b65218f 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -37,6 +37,7 @@
 #include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
 #include <aidl/android/hardware/security/keymint/KeyFormat.h>
 
+#include <keymint_support/authorization_set.h>
 #include <keymint_support/key_param_output.h>
 #include <keymint_support/openssl_utils.h>
 
@@ -1146,17 +1147,6 @@
                                .SetDefaultValidity();
 
         auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-        // Strongbox may not support factory provisioned attestation key.
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-                result = GenerateKeyWithSelfSignedAttestKey(
-                        AuthorizationSetBuilder()
-                                .RsaKey(key_size, 65537)
-                                .AttestKey()
-                                .SetDefaultValidity(), /* attest key params */
-                        builder, &key_blob, &key_characteristics);
-            }
-        }
         ASSERT_EQ(ErrorCode::OK, result);
         KeyBlobDeleter deleter(keymint_, key_blob);
         ASSERT_GT(key_blob.size(), 0U);
@@ -1369,17 +1359,6 @@
                            .SetDefaultValidity();
 
     auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-    // Strongbox may not support factory provisioned attestation key.
-    if (SecLevel() == SecurityLevel::STRONGBOX) {
-        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-            result = GenerateKeyWithSelfSignedAttestKey(
-                    AuthorizationSetBuilder()
-                            .RsaKey(key_size, 65537)
-                            .AttestKey()
-                            .SetDefaultValidity(), /* attest key params */
-                    builder, &key_blob, &key_characteristics);
-        }
-    }
     ASSERT_EQ(ErrorCode::OK, result);
     KeyBlobDeleter deleter(keymint_, key_blob);
 
@@ -1490,17 +1469,6 @@
                            .SetDefaultValidity();
 
     auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-    // Strongbox may not support factory provisioned attestation key.
-    if (SecLevel() == SecurityLevel::STRONGBOX) {
-        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-            result = GenerateKeyWithSelfSignedAttestKey(
-                    AuthorizationSetBuilder()
-                            .RsaKey(2048, 65537)
-                            .AttestKey()
-                            .SetDefaultValidity(), /* attest key params */
-                    builder, &key_blob, &key_characteristics);
-        }
-    }
     ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
 }
 
@@ -1625,17 +1593,6 @@
                                .SetDefaultValidity();
 
         auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-        // Strongbox may not support factory provisioned attestation key.
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-                result = GenerateKeyWithSelfSignedAttestKey(
-                        AuthorizationSetBuilder()
-                                .RsaKey(key_size, 65537)
-                                .AttestKey()
-                                .SetDefaultValidity(), /* attest key params */
-                        builder, &key_blob, &key_characteristics);
-            }
-        }
         ASSERT_EQ(ErrorCode::OK, result);
         KeyBlobDeleter deleter(keymint_, key_blob);
 
@@ -1877,17 +1834,6 @@
                                .SetDefaultValidity();
 
         auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-        // Strongbox may not support factory provisioned attestation key.
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-                result = GenerateKeyWithSelfSignedAttestKey(
-                        AuthorizationSetBuilder()
-                                .EcdsaKey(curve)
-                                .AttestKey()
-                                .SetDefaultValidity(), /* attest key params */
-                        builder, &key_blob, &key_characteristics);
-            }
-        }
         ASSERT_EQ(ErrorCode::OK, result);
         KeyBlobDeleter deleter(keymint_, key_blob);
         ASSERT_GT(key_blob.size(), 0U);
@@ -2020,17 +1966,6 @@
             // Tag not required to be supported by all KeyMint implementations.
             continue;
         }
-        // Strongbox may not support factory provisioned attestation key.
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-                result = GenerateKeyWithSelfSignedAttestKey(
-                        AuthorizationSetBuilder()
-                                .EcdsaKey(EcCurve::P_256)
-                                .AttestKey()
-                                .SetDefaultValidity(), /* attest key params */
-                        builder, &key_blob, &key_characteristics);
-            }
-        }
         ASSERT_EQ(result, ErrorCode::OK);
         KeyBlobDeleter deleter(keymint_, key_blob);
         ASSERT_GT(key_blob.size(), 0U);
@@ -2082,18 +2017,6 @@
         builder.push_back(tag);
 
         auto error = GenerateKey(builder, &key_blob, &key_characteristics);
-        // Strongbox may not support factory provisioned attestation key.
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-                error = GenerateKeyWithSelfSignedAttestKey(
-                        AuthorizationSetBuilder()
-                                .EcdsaKey(EcCurve::P_256)
-                                .AttestKey()
-                                .SetDefaultValidity(), /* attest key params */
-                        builder, &key_blob, &key_characteristics);
-            }
-        }
-
         device_id_attestation_check_acceptable_error(tag.tag, error);
     }
 }
@@ -2138,10 +2061,6 @@
         AuthorizationSetBuilder builder = base_builder;
         builder.push_back(tag);
         auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-        // Strongbox may not support factory provisioned attestation key.
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
-        }
         if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
             // ID attestation was optional till api level 32, from api level 33 it is mandatory.
             continue;
@@ -2199,16 +2118,6 @@
             builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
         }
         auto result = GenerateKey(builder);
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-                result = GenerateKeyWithSelfSignedAttestKey(
-                        AuthorizationSetBuilder()
-                                .EcdsaKey(EcCurve::P_256)
-                                .AttestKey()
-                                .SetDefaultValidity(), /* attest key params */
-                        builder, &key_blob_, &key_characteristics_, &cert_chain_);
-            }
-        }
         ASSERT_EQ(ErrorCode::OK, result);
         ASSERT_GT(key_blob_.size(), 0U);
 
@@ -2309,17 +2218,6 @@
                            .SetDefaultValidity();
 
     auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-    // Strongbox may not support factory provisioned attestation key.
-    if (SecLevel() == SecurityLevel::STRONGBOX) {
-        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-            result = GenerateKeyWithSelfSignedAttestKey(
-                    AuthorizationSetBuilder()
-                            .EcdsaKey(EcCurve::P_256)
-                            .AttestKey()
-                            .SetDefaultValidity(), /* attest key params */
-                    builder, &key_blob, &key_characteristics);
-        }
-    }
     ASSERT_EQ(result, ErrorCode::OK);
     KeyBlobDeleter deleter(keymint_, key_blob);
     ASSERT_GT(key_blob.size(), 0U);
@@ -2404,17 +2302,6 @@
                            .SetDefaultValidity();
 
     auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-    // Strongbox may not support factory provisioned attestation key.
-    if (SecLevel() == SecurityLevel::STRONGBOX) {
-        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-            result = GenerateKeyWithSelfSignedAttestKey(
-                    AuthorizationSetBuilder()
-                            .EcdsaKey(EcCurve::P_256)
-                            .AttestKey()
-                            .SetDefaultValidity(), /* attest key params */
-                    builder, &key_blob, &key_characteristics);
-        }
-    }
     ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
 }
 
@@ -2482,17 +2369,6 @@
                                .SetDefaultValidity();
 
         auto result = GenerateKey(builder, &key_blob, &key_characteristics);
-        // Strongbox may not support factory provisioned attestation key.
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-                result = GenerateKeyWithSelfSignedAttestKey(
-                        AuthorizationSetBuilder()
-                                .EcdsaKey(EcCurve::P_256)
-                                .AttestKey()
-                                .SetDefaultValidity(), /* attest key params */
-                        builder, &key_blob, &key_characteristics);
-            }
-        }
         ASSERT_EQ(ErrorCode::OK, result);
         KeyBlobDeleter deleter(keymint_, key_blob);
         ASSERT_GT(key_blob.size(), 0U);
@@ -2718,7 +2594,8 @@
                                                      .AttestationChallenge(challenge)
                                                      .AttestationApplicationId(app_id)
                                                      .Authorization(TAG_MIN_MAC_LENGTH, 128),
-                                             &key_blob, &key_characteristics));
+                                             /*attest_key=*/std::nullopt, &key_blob,
+                                             &key_characteristics, &cert_chain_));
         KeyBlobDeleter deleter(keymint_, key_blob);
 
         ASSERT_GT(key_blob.size(), 0U);
@@ -2907,7 +2784,9 @@
                                                  .EcbMode()
                                                  .Padding(PaddingMode::PKCS7)
                                                  .AttestationChallenge(challenge)
-                                                 .AttestationApplicationId(app_id)));
+                                                 .AttestationApplicationId(app_id),
+                                         /*attest_key=*/std::nullopt, &key_blob_,
+                                         &key_characteristics_, &cert_chain_));
 
     ASSERT_EQ(cert_chain_.size(), 0);
 }
@@ -2928,7 +2807,9 @@
                                                  .Authorization(TAG_NO_AUTH_REQUIRED)
                                                  .Padding(PaddingMode::NONE)
                                                  .AttestationChallenge(challenge)
-                                                 .AttestationApplicationId(app_id)));
+                                                 .AttestationApplicationId(app_id),
+                                         /*attest_key=*/std::nullopt, &key_blob_,
+                                         &key_characteristics_, &cert_chain_));
     ASSERT_EQ(cert_chain_.size(), 0);
 }
 
@@ -8510,17 +8391,6 @@
                                .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
                                .SetDefaultValidity();
         ErrorCode result = GenerateKey(builder);
-
-        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
-                result = GenerateKeyWithSelfSignedAttestKey(
-                        AuthorizationSetBuilder()
-                                .EcdsaKey(EcCurve::P_256)
-                                .AttestKey()
-                                .SetDefaultValidity(), /* attest key params */
-                        builder, &key_blob_, &key_characteristics_, &cert_chain_);
-            }
-        }
         ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
         ASSERT_GT(cert_chain_.size(), 0);
         X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
@@ -8811,11 +8681,6 @@
     KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
 
     for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
-        // Strongbox may not support factory attestation. Key creation might fail with
-        // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
-        if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
-            continue;
-        }
         ASSERT_GT(keyData.blob.size(), 0U);
         AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
         EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;