diff --git a/keystore/tests/fuzzer/Android.bp b/keystore/tests/fuzzer/Android.bp
index 5df5c7a..d459f75 100644
--- a/keystore/tests/fuzzer/Android.bp
+++ b/keystore/tests/fuzzer/Android.bp
@@ -40,9 +40,17 @@
     ],
     fuzz_config: {
         cc: [
-            "android-media-fuzzing-reports@google.com",
+            "android-hardware-security@google.com",
         ],
-        componentid: 155276,
+        componentid: 1084732,
+        hotlists: [
+            "4593311",
+        ],
+        description: "The fuzzer targets the APIs of libkeystore-wifi-hidl",
+        vector: "local_no_privileges_required",
+        service_privilege: "privileged",
+        users: "multi_user",
+        fuzzed_code_usage: "shipped",
     },
 }
 
@@ -62,9 +70,17 @@
     ],
     fuzz_config: {
         cc: [
-            "android-media-fuzzing-reports@google.com",
+            "android-hardware-security@google.com",
         ],
-        componentid: 155276,
+        componentid: 1084732,
+        hotlists: [
+            "4593311",
+        ],
+        description: "The fuzzer targets the APIs of libkeystore-attestation-application-id",
+        vector: "local_no_privileges_required",
+        service_privilege: "privileged",
+        users: "multi_user",
+        fuzzed_code_usage: "shipped",
     },
 }
 
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index 271f94d..c378b42 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -42,6 +42,7 @@
         "android.security.metrics-rust",
         "android.security.rkp_aidl-rust",
         "libaconfig_android_hardware_biometrics_rust",
+        "libandroid_security_flags_rust",
         "libanyhow",
         "libbinder_rs",
         "libkeystore2_aaid-rust",
@@ -55,12 +56,15 @@
         "liblibc",
         "liblog_event_list",
         "liblog_rust",
+        "libmessage_macro",
         "librand",
+        "librkpd_client",
         "librustutils",
         "libserde",
         "libserde_cbor",
         "libthiserror",
         "libtokio",
+        "libwatchdog_rs",
     ],
     shared_libs: [
         "libcutils",
diff --git a/keystore2/TEST_MAPPING b/keystore2/TEST_MAPPING
index f8a1302..57ce78c 100644
--- a/keystore2/TEST_MAPPING
+++ b/keystore2/TEST_MAPPING
@@ -33,6 +33,12 @@
     },
     {
       "name": "keystore2_client_tests"
+    },
+    {
+      "name": "librkpd_client.test"
+    },
+    {
+      "name": "libwatchdog_rs.test"
     }
   ]
 }
diff --git a/keystore2/message_macro/Android.bp b/keystore2/message_macro/Android.bp
new file mode 100644
index 0000000..f1fbad7
--- /dev/null
+++ b/keystore2/message_macro/Android.bp
@@ -0,0 +1,37 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // See: http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // all of the 'license_kinds' from "system_security_license"
+    // to get the below license kinds:
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_security_license"],
+}
+
+rust_defaults {
+    name: "libmessage_macro_defaults",
+    crate_name: "message_macro",
+    srcs: ["src/lib.rs"],
+}
+
+rust_library {
+    name: "libmessage_macro",
+    defaults: ["libmessage_macro_defaults"],
+    apex_available: [
+        "//apex_available:platform",
+        "com.android.virt",
+    ],
+}
diff --git a/keystore2/src/ks_err.rs b/keystore2/message_macro/src/lib.rs
similarity index 76%
rename from keystore2/src/ks_err.rs
rename to keystore2/message_macro/src/lib.rs
index c9c38c0..d8cfab0 100644
--- a/keystore2/src/ks_err.rs
+++ b/keystore2/message_macro/src/lib.rs
@@ -12,20 +12,20 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-//! A ks_err macro that expands error messages to include the file and line number
+//! A macro that generates a message containing the current source file name
+//! and line number.
 
+/// Generates a message containing the current source file name and line number.
 ///
 /// # Examples
 ///
 /// ```
-/// use crate::ks_err;
-///
-/// ks_err!("Key is expired.");
+/// source_location_msg!("Key is expired.");
 /// Result:
 /// "src/lib.rs:7 Key is expired."
 /// ```
 #[macro_export]
-macro_rules! ks_err {
+macro_rules! source_location_msg {
     { $($arg:tt)+ } => {
         format!("{}:{}: {}", file!(), line!(), format_args!($($arg)+))
     };
diff --git a/keystore2/rkpd_client/Android.bp b/keystore2/rkpd_client/Android.bp
new file mode 100644
index 0000000..1de333f
--- /dev/null
+++ b/keystore2/rkpd_client/Android.bp
@@ -0,0 +1,51 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // See: http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // all of the 'license_kinds' from "system_security_license"
+    // to get the below license kinds:
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_security_license"],
+}
+
+rust_defaults {
+    name: "librkpd_client_defaults",
+    crate_name: "rkpd_client",
+    srcs: ["src/lib.rs"],
+    rustlibs: [
+        "android.security.rkp_aidl-rust",
+        "libanyhow",
+        "libbinder_rs",
+        "liblog_rust",
+        "libmessage_macro",
+        "libthiserror",
+        "libtokio",
+    ],
+}
+
+rust_library {
+    name: "librkpd_client",
+    defaults: ["librkpd_client_defaults"],
+}
+
+rust_test {
+    name: "librkpd_client.test",
+    defaults: ["librkpd_client_defaults"],
+    test_suites: ["general-tests"],
+    rustlibs: [
+        "librand",
+    ],
+}
diff --git a/keystore2/src/rkpd_client.rs b/keystore2/rkpd_client/src/lib.rs
similarity index 63%
rename from keystore2/src/rkpd_client.rs
rename to keystore2/rkpd_client/src/lib.rs
index 7b4131d..d8a5276 100644
--- a/keystore2/src/rkpd_client.rs
+++ b/keystore2/rkpd_client/src/lib.rs
@@ -14,11 +14,6 @@
 
 //! Helper wrapper around RKPD interface.
 
-use crate::error::{map_binder_status_code, Error, ResponseCode};
-use crate::globals::get_remotely_provisioned_component_name;
-use crate::ks_err;
-use crate::utils::watchdog as wd;
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
 use android_security_rkp_aidl::aidl::android::security::rkp::{
     IGetKeyCallback::BnGetKeyCallback, IGetKeyCallback::ErrorCode::ErrorCode as GetKeyErrorCode,
     IGetKeyCallback::IGetKeyCallback, IGetRegistrationCallback::BnGetRegistrationCallback,
@@ -28,8 +23,9 @@
     IStoreUpgradedKeyCallback::IStoreUpgradedKeyCallback,
     RemotelyProvisionedKey::RemotelyProvisionedKey,
 };
-use android_security_rkp_aidl::binder::{BinderFeatures, Interface, Strong};
 use anyhow::{Context, Result};
+use binder::{BinderFeatures, Interface, StatusCode, Strong};
+use message_macro::source_location_msg;
 use std::sync::Mutex;
 use std::time::Duration;
 use tokio::sync::oneshot;
@@ -44,6 +40,44 @@
     tokio::runtime::Builder::new_current_thread().enable_all().build().unwrap()
 }
 
+/// Errors occurred during the interaction with RKPD.
+#[derive(Debug, Clone, Copy, thiserror::Error, PartialEq, Eq)]
+pub enum Error {
+    /// An RKPD request gets cancelled.
+    #[error("An RKPD request gets cancelled")]
+    RequestCancelled,
+
+    /// Failed to get registration.
+    #[error("Failed to get registration")]
+    GetRegistrationFailed,
+
+    /// Failed to get key.
+    #[error("Failed to get key: {0:?}")]
+    GetKeyFailed(GetKeyErrorCode),
+
+    /// Failed to store upgraded key.
+    #[error("Failed to store upgraded key")]
+    StoreUpgradedKeyFailed,
+
+    /// Retryable timeout when waiting for a callback.
+    #[error("Retryable timeout when waiting for a callback")]
+    RetryableTimeout,
+
+    /// Timeout when waiting for a callback.
+    #[error("Timeout when waiting for a callback")]
+    Timeout,
+
+    /// Wraps a Binder status code.
+    #[error("Binder transaction error {0:?}")]
+    BinderTransaction(StatusCode),
+}
+
+impl From<StatusCode> for Error {
+    fn from(s: StatusCode) -> Self {
+        Self::BinderTransaction(s)
+    }
+}
+
 /// Thread-safe channel for sending a value once and only once. If a value has
 /// already been send, subsequent calls to send will noop.
 struct SafeSender<T> {
@@ -84,52 +118,43 @@
 
 impl IGetRegistrationCallback for GetRegistrationCallback {
     fn onSuccess(&self, registration: &Strong<dyn IRegistration>) -> binder::Result<()> {
-        let _wp = wd::watch_millis("IGetRegistrationCallback::onSuccess", 500);
         self.registration_tx.send(Ok(registration.clone()));
         Ok(())
     }
     fn onCancel(&self) -> binder::Result<()> {
-        let _wp = wd::watch_millis("IGetRegistrationCallback::onCancel", 500);
         log::warn!("IGetRegistrationCallback cancelled");
         self.registration_tx.send(
-            Err(Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR))
-                .context(ks_err!("GetRegistrationCallback cancelled.")),
+            Err(Error::RequestCancelled)
+                .context(source_location_msg!("GetRegistrationCallback cancelled.")),
         );
         Ok(())
     }
     fn onError(&self, description: &str) -> binder::Result<()> {
-        let _wp = wd::watch_millis("IGetRegistrationCallback::onError", 500);
         log::error!("IGetRegistrationCallback failed: '{description}'");
         self.registration_tx.send(
-            Err(Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR))
-                .context(ks_err!("GetRegistrationCallback failed: {:?}", description)),
+            Err(Error::GetRegistrationFailed)
+                .context(source_location_msg!("GetRegistrationCallback failed: {:?}", description)),
         );
         Ok(())
     }
 }
 
 /// Make a new connection to a IRegistration service.
-async fn get_rkpd_registration(
-    security_level: &SecurityLevel,
-) -> Result<binder::Strong<dyn IRegistration>> {
+async fn get_rkpd_registration(rpc_name: &str) -> Result<binder::Strong<dyn IRegistration>> {
     let remote_provisioning: Strong<dyn IRemoteProvisioning> =
-        map_binder_status_code(binder::get_interface("remote_provisioning"))
-            .context(ks_err!("Trying to connect to IRemoteProvisioning service."))?;
-
-    let rpc_name = get_remotely_provisioned_component_name(security_level)
-        .context(ks_err!("Trying to get IRPC name."))?;
+        binder::get_interface("remote_provisioning")
+            .map_err(Error::from)
+            .context(source_location_msg!("Trying to connect to IRemoteProvisioning service."))?;
 
     let (tx, rx) = oneshot::channel();
     let cb = GetRegistrationCallback::new_native_binder(tx);
 
     remote_provisioning
-        .getRegistration(&rpc_name, &cb)
-        .context(ks_err!("Trying to get registration."))?;
+        .getRegistration(rpc_name, &cb)
+        .context(source_location_msg!("Trying to get registration."))?;
 
     match timeout(RKPD_TIMEOUT, rx).await {
-        Err(e) => {
-            Err(Error::Rc(ResponseCode::SYSTEM_ERROR)).context(ks_err!("Waiting for RKPD: {:?}", e))
-        }
+        Err(e) => Err(Error::Timeout).context(source_location_msg!("Waiting for RKPD: {:?}", e)),
         Ok(v) => v.unwrap(),
     }
 }
@@ -151,7 +176,6 @@
 
 impl IGetKeyCallback for GetKeyCallback {
     fn onSuccess(&self, key: &RemotelyProvisionedKey) -> binder::Result<()> {
-        let _wp = wd::watch_millis("IGetKeyCallback::onSuccess", 500);
         self.key_tx.send(Ok(RemotelyProvisionedKey {
             keyBlob: key.keyBlob.clone(),
             encodedCertChain: key.encodedCertChain.clone(),
@@ -159,32 +183,15 @@
         Ok(())
     }
     fn onCancel(&self) -> binder::Result<()> {
-        let _wp = wd::watch_millis("IGetKeyCallback::onCancel", 500);
         log::warn!("IGetKeyCallback cancelled");
         self.key_tx.send(
-            Err(Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR))
-                .context(ks_err!("GetKeyCallback cancelled.")),
+            Err(Error::RequestCancelled).context(source_location_msg!("GetKeyCallback cancelled.")),
         );
         Ok(())
     }
     fn onError(&self, error: GetKeyErrorCode, description: &str) -> binder::Result<()> {
-        let _wp = wd::watch_millis("IGetKeyCallback::onError", 500);
         log::error!("IGetKeyCallback failed: {description}");
-        let rc = match error {
-            GetKeyErrorCode::ERROR_UNKNOWN => ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR,
-            GetKeyErrorCode::ERROR_PERMANENT => ResponseCode::OUT_OF_KEYS_PERMANENT_ERROR,
-            GetKeyErrorCode::ERROR_PENDING_INTERNET_CONNECTIVITY => {
-                ResponseCode::OUT_OF_KEYS_PENDING_INTERNET_CONNECTIVITY
-            }
-            GetKeyErrorCode::ERROR_REQUIRES_SECURITY_PATCH => {
-                ResponseCode::OUT_OF_KEYS_REQUIRES_SYSTEM_UPGRADE
-            }
-            _ => {
-                log::error!("Unexpected error from rkpd: {error:?}");
-                ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR
-            }
-        };
-        self.key_tx.send(Err(Error::Rc(rc)).context(ks_err!(
+        self.key_tx.send(Err(Error::GetKeyFailed(error)).context(source_location_msg!(
             "GetKeyCallback failed: {:?} {:?}",
             error,
             description
@@ -202,7 +209,7 @@
 
     registration
         .getKey(caller_uid.try_into().unwrap(), &cb)
-        .context(ks_err!("Trying to get key."))?;
+        .context(source_location_msg!("Trying to get key."))?;
 
     match timeout(RKPD_TIMEOUT, rx).await {
         Err(e) => {
@@ -210,20 +217,20 @@
             if let Err(e) = registration.cancelGetKey(&cb) {
                 log::error!("IRegistration::cancelGetKey failed: {:?}", e);
             }
-            Err(Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR))
-                .context(ks_err!("Waiting for RKPD key timed out: {:?}", e))
+            Err(Error::RetryableTimeout)
+                .context(source_location_msg!("Waiting for RKPD key timed out: {:?}", e))
         }
         Ok(v) => v.unwrap(),
     }
 }
 
 async fn get_rkpd_attestation_key_async(
-    security_level: &SecurityLevel,
+    rpc_name: &str,
     caller_uid: u32,
 ) -> Result<RemotelyProvisionedKey> {
-    let registration = get_rkpd_registration(security_level)
+    let registration = get_rkpd_registration(rpc_name)
         .await
-        .context(ks_err!("Trying to get to IRegistration service."))?;
+        .context(source_location_msg!("Trying to get to IRegistration service."))?;
     get_rkpd_attestation_key_from_registration_async(&registration, caller_uid).await
 }
 
@@ -244,17 +251,15 @@
 
 impl IStoreUpgradedKeyCallback for StoreUpgradedKeyCallback {
     fn onSuccess(&self) -> binder::Result<()> {
-        let _wp = wd::watch_millis("IGetRegistrationCallback::onSuccess", 500);
         self.completer.send(Ok(()));
         Ok(())
     }
 
     fn onError(&self, error: &str) -> binder::Result<()> {
-        let _wp = wd::watch_millis("IGetRegistrationCallback::onError", 500);
-        log::error!("IGetRegistrationCallback failed: {error}");
+        log::error!("IStoreUpgradedKeyCallback failed: {error}");
         self.completer.send(
-            Err(Error::Rc(ResponseCode::SYSTEM_ERROR))
-                .context(ks_err!("Failed to store upgraded key: {:?}", error)),
+            Err(Error::StoreUpgradedKeyFailed)
+                .context(source_location_msg!("Failed to store upgraded key: {:?}", error)),
         );
         Ok(())
     }
@@ -270,61 +275,50 @@
 
     registration
         .storeUpgradedKeyAsync(key_blob, upgraded_blob, &cb)
-        .context(ks_err!("Failed to store upgraded blob with RKPD."))?;
+        .context(source_location_msg!("Failed to store upgraded blob with RKPD."))?;
 
     match timeout(RKPD_TIMEOUT, rx).await {
-        Err(e) => Err(Error::Rc(ResponseCode::SYSTEM_ERROR))
-            .context(ks_err!("Waiting for RKPD to complete storing key: {:?}", e)),
+        Err(e) => Err(Error::Timeout)
+            .context(source_location_msg!("Waiting for RKPD to complete storing key: {:?}", e)),
         Ok(v) => v.unwrap(),
     }
 }
 
 async fn store_rkpd_attestation_key_async(
-    security_level: &SecurityLevel,
+    rpc_name: &str,
     key_blob: &[u8],
     upgraded_blob: &[u8],
 ) -> Result<()> {
-    let registration = get_rkpd_registration(security_level)
+    let registration = get_rkpd_registration(rpc_name)
         .await
-        .context(ks_err!("Trying to get to IRegistration service."))?;
+        .context(source_location_msg!("Trying to get to IRegistration service."))?;
     store_rkpd_attestation_key_with_registration_async(&registration, key_blob, upgraded_blob).await
 }
 
 /// Get attestation key from RKPD.
-pub fn get_rkpd_attestation_key(
-    security_level: &SecurityLevel,
-    caller_uid: u32,
-) -> Result<RemotelyProvisionedKey> {
-    let _wp = wd::watch_millis("Calling get_rkpd_attestation_key()", 500);
-    tokio_rt().block_on(get_rkpd_attestation_key_async(security_level, caller_uid))
+pub fn get_rkpd_attestation_key(rpc_name: &str, caller_uid: u32) -> Result<RemotelyProvisionedKey> {
+    tokio_rt().block_on(get_rkpd_attestation_key_async(rpc_name, caller_uid))
 }
 
 /// Store attestation key in RKPD.
 pub fn store_rkpd_attestation_key(
-    security_level: &SecurityLevel,
+    rpc_name: &str,
     key_blob: &[u8],
     upgraded_blob: &[u8],
 ) -> Result<()> {
-    let _wp = wd::watch_millis("Calling store_rkpd_attestation_key()", 500);
-    tokio_rt().block_on(store_rkpd_attestation_key_async(security_level, key_blob, upgraded_blob))
+    tokio_rt().block_on(store_rkpd_attestation_key_async(rpc_name, key_blob, upgraded_blob))
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::error::map_km_error;
-    use crate::globals::get_keymint_device;
-    use crate::utils::upgrade_keyblob_if_required_with;
-    use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
-        Algorithm::Algorithm, AttestationKey::AttestationKey, KeyParameter::KeyParameter,
-        KeyParameterValue::KeyParameterValue, Tag::Tag,
-    };
     use android_security_rkp_aidl::aidl::android::security::rkp::IRegistration::BnRegistration;
-    use keystore2_crypto::parse_subject_from_certificate;
-    use std::collections::HashMap;
     use std::sync::atomic::{AtomicU32, Ordering};
     use std::sync::{Arc, Mutex};
 
+    const DEFAULT_RPC_SERVICE_NAME: &str =
+        "android.hardware.security.keymint.IRemotelyProvisionedComponent/default";
+
     struct MockRegistrationValues {
         key: RemotelyProvisionedKey,
         latency: Option<Duration>,
@@ -442,10 +436,7 @@
         assert!(cb.onCancel().is_ok());
 
         let result = tokio_rt().block_on(rx).unwrap();
-        assert_eq!(
-            result.unwrap_err().downcast::<Error>().unwrap(),
-            Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)
-        );
+        assert_eq!(result.unwrap_err().downcast::<Error>().unwrap(), Error::RequestCancelled);
     }
 
     #[test]
@@ -455,10 +446,7 @@
         assert!(cb.onError("error").is_ok());
 
         let result = tokio_rt().block_on(rx).unwrap();
-        assert_eq!(
-            result.unwrap_err().downcast::<Error>().unwrap(),
-            Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)
-        );
+        assert_eq!(result.unwrap_err().downcast::<Error>().unwrap(), Error::GetRegistrationFailed);
     }
 
     #[test]
@@ -480,29 +468,11 @@
         assert!(cb.onCancel().is_ok());
 
         let result = tokio_rt().block_on(rx).unwrap();
-        assert_eq!(
-            result.unwrap_err().downcast::<Error>().unwrap(),
-            Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)
-        );
+        assert_eq!(result.unwrap_err().downcast::<Error>().unwrap(), Error::RequestCancelled);
     }
 
     #[test]
     fn test_get_key_cb_error() {
-        let error_mapping = HashMap::from([
-            (GetKeyErrorCode::ERROR_UNKNOWN, ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR),
-            (GetKeyErrorCode::ERROR_PERMANENT, ResponseCode::OUT_OF_KEYS_PERMANENT_ERROR),
-            (
-                GetKeyErrorCode::ERROR_PENDING_INTERNET_CONNECTIVITY,
-                ResponseCode::OUT_OF_KEYS_PENDING_INTERNET_CONNECTIVITY,
-            ),
-            (
-                GetKeyErrorCode::ERROR_REQUIRES_SECURITY_PATCH,
-                ResponseCode::OUT_OF_KEYS_REQUIRES_SYSTEM_UPGRADE,
-            ),
-        ]);
-
-        // Loop over the generated list of enum values to better ensure this test stays in
-        // sync with the AIDL.
         for get_key_error in GetKeyErrorCode::enum_values() {
             let (tx, rx) = oneshot::channel();
             let cb = GetKeyCallback::new_native_binder(tx);
@@ -511,7 +481,7 @@
             let result = tokio_rt().block_on(rx).unwrap();
             assert_eq!(
                 result.unwrap_err().downcast::<Error>().unwrap(),
-                Error::Rc(error_mapping[&get_key_error]),
+                Error::GetKeyFailed(get_key_error),
             );
         }
     }
@@ -532,10 +502,7 @@
         assert!(cb.onError("oh no! it failed").is_ok());
 
         let result = tokio_rt().block_on(rx).unwrap();
-        assert_eq!(
-            result.unwrap_err().downcast::<Error>().unwrap(),
-            Error::Rc(ResponseCode::SYSTEM_ERROR)
-        );
+        assert_eq!(result.unwrap_err().downcast::<Error>().unwrap(), Error::StoreUpgradedKeyFailed);
     }
 
     #[test]
@@ -559,10 +526,7 @@
 
         let result =
             tokio_rt().block_on(get_rkpd_attestation_key_from_registration_async(&registration, 0));
-        assert_eq!(
-            result.unwrap_err().downcast::<Error>().unwrap(),
-            Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)
-        );
+        assert_eq!(result.unwrap_err().downcast::<Error>().unwrap(), Error::RetryableTimeout);
     }
 
     #[test]
@@ -587,17 +551,14 @@
             &[],
             &[],
         ));
-        assert_eq!(
-            result.unwrap_err().downcast::<Error>().unwrap(),
-            Error::Rc(ResponseCode::SYSTEM_ERROR)
-        );
+        assert_eq!(result.unwrap_err().downcast::<Error>().unwrap(), Error::Timeout);
     }
 
     #[test]
     fn test_get_rkpd_attestation_key() {
         binder::ProcessState::start_thread_pool();
         let key_id = get_next_key_id();
-        let key = get_rkpd_attestation_key(&SecurityLevel::TRUSTED_ENVIRONMENT, key_id).unwrap();
+        let key = get_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, key_id).unwrap();
         assert!(!key.keyBlob.is_empty());
         assert!(!key.encodedCertChain.is_empty());
     }
@@ -605,12 +566,11 @@
     #[test]
     fn test_get_rkpd_attestation_key_same_caller() {
         binder::ProcessState::start_thread_pool();
-        let sec_level = SecurityLevel::TRUSTED_ENVIRONMENT;
         let key_id = get_next_key_id();
 
         // Multiple calls should return the same key.
-        let first_key = get_rkpd_attestation_key(&sec_level, key_id).unwrap();
-        let second_key = get_rkpd_attestation_key(&sec_level, key_id).unwrap();
+        let first_key = get_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, key_id).unwrap();
+        let second_key = get_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, key_id).unwrap();
 
         assert_eq!(first_key.keyBlob, second_key.keyBlob);
         assert_eq!(first_key.encodedCertChain, second_key.encodedCertChain);
@@ -619,13 +579,12 @@
     #[test]
     fn test_get_rkpd_attestation_key_different_caller() {
         binder::ProcessState::start_thread_pool();
-        let sec_level = SecurityLevel::TRUSTED_ENVIRONMENT;
         let first_key_id = get_next_key_id();
         let second_key_id = get_next_key_id();
 
         // Different callers should be getting different keys.
-        let first_key = get_rkpd_attestation_key(&sec_level, first_key_id).unwrap();
-        let second_key = get_rkpd_attestation_key(&sec_level, second_key_id).unwrap();
+        let first_key = get_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, first_key_id).unwrap();
+        let second_key = get_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, second_key_id).unwrap();
 
         assert_ne!(first_key.keyBlob, second_key.keyBlob);
         assert_ne!(first_key.encodedCertChain, second_key.encodedCertChain);
@@ -639,86 +598,24 @@
     //    test case.
     fn test_store_rkpd_attestation_key() {
         binder::ProcessState::start_thread_pool();
-        let sec_level = SecurityLevel::TRUSTED_ENVIRONMENT;
         let key_id = get_next_key_id();
-        let key = get_rkpd_attestation_key(&SecurityLevel::TRUSTED_ENVIRONMENT, key_id).unwrap();
+        let key = get_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, key_id).unwrap();
         let new_blob: [u8; 8] = rand::random();
 
-        assert!(store_rkpd_attestation_key(&sec_level, &key.keyBlob, &new_blob).is_ok());
+        assert!(
+            store_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, &key.keyBlob, &new_blob).is_ok()
+        );
 
-        let new_key =
-            get_rkpd_attestation_key(&SecurityLevel::TRUSTED_ENVIRONMENT, key_id).unwrap();
+        let new_key = get_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, key_id).unwrap();
 
         // Restore original key so that we don't leave RKPD with invalid blobs.
-        assert!(store_rkpd_attestation_key(&sec_level, &new_blob, &key.keyBlob).is_ok());
+        assert!(
+            store_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, &new_blob, &key.keyBlob).is_ok()
+        );
         assert_eq!(new_key.keyBlob, new_blob);
     }
 
     #[test]
-    // This is a helper for a manual test. We want to check that after a system upgrade RKPD
-    // attestation keys can also be upgraded and stored again with RKPD. The steps are:
-    // 1. Run this test and check in stdout that no key upgrade happened.
-    // 2. Perform a system upgrade.
-    // 3. Run this test and check in stdout that key upgrade did happen.
-    //
-    // Note that this test must be run with that same UID every time. Running as root, i.e. UID 0,
-    // should do the trick. Also, use "--nocapture" flag to get stdout.
-    fn test_rkpd_attestation_key_upgrade() {
-        binder::ProcessState::start_thread_pool();
-        let security_level = SecurityLevel::TRUSTED_ENVIRONMENT;
-        let (keymint, info, _) = get_keymint_device(&security_level).unwrap();
-        let key_id = get_next_key_id();
-        let mut key_upgraded = false;
-
-        let key = get_rkpd_attestation_key(&security_level, key_id).unwrap();
-        assert!(!key.keyBlob.is_empty());
-        assert!(!key.encodedCertChain.is_empty());
-
-        upgrade_keyblob_if_required_with(
-            &*keymint,
-            info.versionNumber,
-            &key.keyBlob,
-            /*upgrade_params=*/ &[],
-            /*km_op=*/
-            |blob| {
-                let params = vec![
-                    KeyParameter {
-                        tag: Tag::ALGORITHM,
-                        value: KeyParameterValue::Algorithm(Algorithm::AES),
-                    },
-                    KeyParameter {
-                        tag: Tag::ATTESTATION_CHALLENGE,
-                        value: KeyParameterValue::Blob(vec![0; 16]),
-                    },
-                    KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) },
-                ];
-                let attestation_key = AttestationKey {
-                    keyBlob: blob.to_vec(),
-                    attestKeyParams: vec![],
-                    issuerSubjectName: parse_subject_from_certificate(&key.encodedCertChain)
-                        .unwrap(),
-                };
-
-                map_km_error(keymint.generateKey(&params, Some(&attestation_key)))
-            },
-            /*new_blob_handler=*/
-            |new_blob| {
-                // This handler is only executed if a key upgrade was performed.
-                key_upgraded = true;
-                store_rkpd_attestation_key(&security_level, &key.keyBlob, new_blob).unwrap();
-                Ok(())
-            },
-        )
-        .unwrap();
-
-        if key_upgraded {
-            println!("RKPD key was upgraded and stored with RKPD.");
-        } else {
-            println!("RKPD key was NOT upgraded.");
-        }
-    }
-
-    #[test]
     fn test_stress_get_rkpd_attestation_key() {
         binder::ProcessState::start_thread_pool();
         let key_id = get_next_key_id();
@@ -729,8 +626,7 @@
         for _ in 0..NTHREADS {
             threads.push(std::thread::spawn(move || {
                 for _ in 0..NCALLS {
-                    let key = get_rkpd_attestation_key(&SecurityLevel::TRUSTED_ENVIRONMENT, key_id)
-                        .unwrap();
+                    let key = get_rkpd_attestation_key(DEFAULT_RPC_SERVICE_NAME, key_id).unwrap();
                     assert!(!key.keyBlob.is_empty());
                     assert!(!key.encodedCertChain.is_empty());
                 }
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index 08361b1..83963f9 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -4890,11 +4890,13 @@
         let key_name_enc = SuperKeyType {
             alias: "test_super_key_1",
             algorithm: SuperEncryptionAlgorithm::Aes256Gcm,
+            name: "test_super_key_1",
         };
 
         let key_name_nonenc = SuperKeyType {
             alias: "test_super_key_2",
             algorithm: SuperEncryptionAlgorithm::Aes256Gcm,
+            name: "test_super_key_2",
         };
 
         // Install two super keys.
@@ -5049,7 +5051,6 @@
         for storage in increased_storage_types {
             // Verify the expected storage increased.
             let new = db.get_storage_stat(storage).unwrap();
-            let storage = storage;
             let old = &baseline[&storage.0];
             assert!(new.size >= old.size, "{}: {} >= {}", storage.0, new.size, old.size);
             assert!(
diff --git a/keystore2/src/error.rs b/keystore2/src/error.rs
index 1a048b6..b4c57fb 100644
--- a/keystore2/src/error.rs
+++ b/keystore2/src/error.rs
@@ -28,11 +28,13 @@
 //! be added every time an error is forwarded.
 
 pub use android_hardware_security_keymint::aidl::android::hardware::security::keymint::ErrorCode::ErrorCode;
+use android_security_rkp_aidl::aidl::android::security::rkp::IGetKeyCallback::ErrorCode::ErrorCode as GetKeyErrorCode;
 pub use android_system_keystore2::aidl::android::system::keystore2::ResponseCode::ResponseCode;
 use android_system_keystore2::binder::{
     ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode,
 };
 use keystore2_selinux as selinux;
+use rkpd_client::Error as RkpdError;
 use std::cmp::PartialEq;
 use std::ffi::CString;
 
@@ -66,6 +68,49 @@
     }
 }
 
+impl From<RkpdError> for Error {
+    fn from(e: RkpdError) -> Self {
+        match e {
+            RkpdError::RequestCancelled | RkpdError::GetRegistrationFailed => {
+                Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR)
+            }
+            RkpdError::GetKeyFailed(e) => {
+                let response_code = match e {
+                    GetKeyErrorCode::ERROR_UNKNOWN => ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR,
+                    GetKeyErrorCode::ERROR_PERMANENT => ResponseCode::OUT_OF_KEYS_PERMANENT_ERROR,
+                    GetKeyErrorCode::ERROR_PENDING_INTERNET_CONNECTIVITY => {
+                        ResponseCode::OUT_OF_KEYS_PENDING_INTERNET_CONNECTIVITY
+                    }
+                    GetKeyErrorCode::ERROR_REQUIRES_SECURITY_PATCH => {
+                        ResponseCode::OUT_OF_KEYS_REQUIRES_SYSTEM_UPGRADE
+                    }
+                    _ => {
+                        log::error!("Unexpected get key error from rkpd: {e:?}");
+                        ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR
+                    }
+                };
+                Error::Rc(response_code)
+            }
+            RkpdError::RetryableTimeout => Error::Rc(ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR),
+            RkpdError::StoreUpgradedKeyFailed | RkpdError::Timeout => {
+                Error::Rc(ResponseCode::SYSTEM_ERROR)
+            }
+            RkpdError::BinderTransaction(s) => Error::BinderTransaction(s),
+        }
+    }
+}
+
+/// Maps an `rkpd_client::Error` that is wrapped with an `anyhow::Error` to a keystore2 `Error`.
+pub fn wrapped_rkpd_error_to_ks_error(e: &anyhow::Error) -> Error {
+    match e.downcast_ref::<RkpdError>() {
+        Some(e) => Error::from(*e),
+        None => {
+            log::error!("Failed to downcast the anyhow::Error to rkpd_client::Error: {e:?}");
+            Error::Rc(ResponseCode::SYSTEM_ERROR)
+        }
+    }
+}
+
 /// Helper function to map the binder status we get from calls into KeyMint
 /// to a Keystore Error. We don't create an anyhow error here to make
 /// it easier to evaluate KeyMint errors, which we must do in some cases, e.g.,
@@ -409,4 +454,35 @@
             expected_error_string
         );
     }
+
+    #[test]
+    fn rkpd_error_is_in_sync_with_response_code() {
+        let error_mapping = [
+            (RkpdError::RequestCancelled, ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR),
+            (RkpdError::GetRegistrationFailed, ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR),
+            (
+                RkpdError::GetKeyFailed(GetKeyErrorCode::ERROR_UNKNOWN),
+                ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR,
+            ),
+            (
+                RkpdError::GetKeyFailed(GetKeyErrorCode::ERROR_PERMANENT),
+                ResponseCode::OUT_OF_KEYS_PERMANENT_ERROR,
+            ),
+            (
+                RkpdError::GetKeyFailed(GetKeyErrorCode::ERROR_PENDING_INTERNET_CONNECTIVITY),
+                ResponseCode::OUT_OF_KEYS_PENDING_INTERNET_CONNECTIVITY,
+            ),
+            (
+                RkpdError::GetKeyFailed(GetKeyErrorCode::ERROR_REQUIRES_SECURITY_PATCH),
+                ResponseCode::OUT_OF_KEYS_REQUIRES_SYSTEM_UPGRADE,
+            ),
+            (RkpdError::StoreUpgradedKeyFailed, ResponseCode::SYSTEM_ERROR),
+            (RkpdError::RetryableTimeout, ResponseCode::OUT_OF_KEYS_TRANSIENT_ERROR),
+            (RkpdError::Timeout, ResponseCode::SYSTEM_ERROR),
+        ];
+        for (rkpd_error, expected_response_code) in error_mapping {
+            let e: Error = rkpd_error.into();
+            assert_eq!(e, Error::Rc(expected_response_code));
+        }
+    }
 } // mod tests
diff --git a/keystore2/src/km_compat.rs b/keystore2/src/km_compat.rs
index f8673fb..cd58fe4 100644
--- a/keystore2/src/km_compat.rs
+++ b/keystore2/src/km_compat.rs
@@ -164,7 +164,7 @@
     }
 }
 
-impl<T> binder::Interface for BacklevelKeyMintWrapper<T> where T: EmulationDetector {}
+impl<T> binder::Interface for BacklevelKeyMintWrapper<T> where T: EmulationDetector + 'static {}
 
 impl<T> IKeyMintDevice for BacklevelKeyMintWrapper<T>
 where
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index 3233017..c0eecd8 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -28,7 +28,6 @@
 pub mod id_rotation;
 /// Internal Representation of Key Parameter and convenience functions.
 pub mod key_parameter;
-pub mod ks_err;
 pub mod legacy_blob;
 pub mod legacy_importer;
 pub mod maintenance;
@@ -38,7 +37,6 @@
 pub mod permission;
 pub mod raw_device;
 pub mod remote_provisioning;
-pub mod rkpd_client;
 pub mod security_level;
 pub mod service;
 pub mod shared_secret_negotiation;
@@ -50,6 +48,6 @@
 mod km_compat;
 mod super_key;
 mod sw_keyblob;
+mod watchdog_helper;
 
-#[cfg(feature = "watchdog")]
-mod watchdog;
+use message_macro::source_location_msg as ks_err;
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index 811ad98..a386d96 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -31,10 +31,13 @@
 use keystore2_crypto::parse_subject_from_certificate;
 
 use crate::database::Uuid;
+use crate::error::wrapped_rkpd_error_to_ks_error;
+use crate::globals::get_remotely_provisioned_component_name;
 use crate::ks_err;
 use crate::metrics_store::log_rkp_error_stats;
-use crate::rkpd_client::get_rkpd_attestation_key;
+use crate::watchdog_helper::watchdog as wd;
 use android_security_metrics::aidl::android::security::metrics::RkpError::RkpError as MetricsRkpError;
+use rkpd_client::get_rkpd_attestation_key;
 
 /// Contains helper functions to check if remote provisioning is enabled on the system and, if so,
 /// to assign and retrieve attestation keys and certificate chains.
@@ -93,11 +96,14 @@
         if !self.is_asymmetric_key(params) || key.domain != Domain::APP {
             Ok(None)
         } else {
-            match get_rkpd_attestation_key(&self.security_level, caller_uid) {
+            let rpc_name = get_remotely_provisioned_component_name(&self.security_level)
+                .context(ks_err!("Trying to get IRPC name."))?;
+            let _wd = wd::watch_millis("Calling get_rkpd_attestation_key()", 500);
+            match get_rkpd_attestation_key(&rpc_name, caller_uid) {
                 Err(e) => {
                     if self.is_rkp_only() {
                         log::error!("Error occurred: {:?}", e);
-                        return Err(e);
+                        return Err(wrapped_rkpd_error_to_ks_error(&e)).context(format!("{e:?}"));
                     }
                     log::warn!("Error occurred: {:?}", e);
                     log_rkp_error_stats(
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 6696113..7a27452 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -19,14 +19,17 @@
     log_key_deleted, log_key_generated, log_key_imported, log_key_integrity_violation,
 };
 use crate::database::{BlobInfo, CertificateInfo, KeyIdGuard};
-use crate::error::{self, map_km_error, map_or_log_err, Error, ErrorCode};
-use crate::globals::{DB, ENFORCEMENTS, LEGACY_IMPORTER, SUPER_KEY};
+use crate::error::{
+    self, map_km_error, map_or_log_err, wrapped_rkpd_error_to_ks_error, Error, ErrorCode,
+};
+use crate::globals::{
+    get_remotely_provisioned_component_name, DB, ENFORCEMENTS, LEGACY_IMPORTER, SUPER_KEY,
+};
 use crate::key_parameter::KeyParameter as KsKeyParam;
 use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
 use crate::ks_err;
 use crate::metrics_store::log_key_creation_event_stats;
 use crate::remote_provisioning::RemProvState;
-use crate::rkpd_client::store_rkpd_attestation_key;
 use crate::super_key::{KeyBlob, SuperKeyManager};
 use crate::utils::{
     check_device_attestation_permissions, check_key_permission,
@@ -60,6 +63,7 @@
     KeyMetadata::KeyMetadata, KeyParameters::KeyParameters, ResponseCode::ResponseCode,
 };
 use anyhow::{anyhow, Context, Result};
+use rkpd_client::store_rkpd_attestation_key;
 use std::convert::TryInto;
 use std::time::SystemTime;
 
@@ -888,6 +892,8 @@
     where
         F: Fn(&[u8]) -> Result<T, Error>,
     {
+        let rpc_name = get_remotely_provisioned_component_name(&self.security_level)
+            .context(ks_err!("Trying to get IRPC name."))?;
         crate::utils::upgrade_keyblob_if_required_with(
             &*self.keymint,
             self.hw_info.versionNumber,
@@ -895,8 +901,12 @@
             params,
             f,
             |upgraded_blob| {
-                store_rkpd_attestation_key(&self.security_level, key_blob, upgraded_blob)
-                    .context(ks_err!("Failed store_rkpd_attestation_key()."))
+                let _wp = wd::watch_millis("Calling store_rkpd_attestation_key()", 500);
+                if let Err(e) = store_rkpd_attestation_key(&rpc_name, key_blob, upgraded_blob) {
+                    Err(wrapped_rkpd_error_to_ks_error(&e)).context(format!("{e:?}"))
+                } else {
+                    Ok(())
+                }
             },
         )
         .context(ks_err!())
@@ -1057,3 +1067,83 @@
         map_or_log_err(result, Ok)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::error::map_km_error;
+    use crate::globals::get_keymint_device;
+    use crate::utils::upgrade_keyblob_if_required_with;
+    use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+        Algorithm::Algorithm, AttestationKey::AttestationKey, KeyParameter::KeyParameter,
+        KeyParameterValue::KeyParameterValue, Tag::Tag,
+    };
+    use keystore2_crypto::parse_subject_from_certificate;
+    use rkpd_client::get_rkpd_attestation_key;
+
+    #[test]
+    // This is a helper for a manual test. We want to check that after a system upgrade RKPD
+    // attestation keys can also be upgraded and stored again with RKPD. The steps are:
+    // 1. Run this test and check in stdout that no key upgrade happened.
+    // 2. Perform a system upgrade.
+    // 3. Run this test and check in stdout that key upgrade did happen.
+    //
+    // Note that this test must be run with that same UID every time. Running as root, i.e. UID 0,
+    // should do the trick. Also, use "--nocapture" flag to get stdout.
+    fn test_rkpd_attestation_key_upgrade() {
+        binder::ProcessState::start_thread_pool();
+        let security_level = SecurityLevel::TRUSTED_ENVIRONMENT;
+        let (keymint, info, _) = get_keymint_device(&security_level).unwrap();
+        let key_id = 0;
+        let mut key_upgraded = false;
+
+        let rpc_name = get_remotely_provisioned_component_name(&security_level).unwrap();
+        let key = get_rkpd_attestation_key(&rpc_name, key_id).unwrap();
+        assert!(!key.keyBlob.is_empty());
+        assert!(!key.encodedCertChain.is_empty());
+
+        upgrade_keyblob_if_required_with(
+            &*keymint,
+            info.versionNumber,
+            &key.keyBlob,
+            /*upgrade_params=*/ &[],
+            /*km_op=*/
+            |blob| {
+                let params = vec![
+                    KeyParameter {
+                        tag: Tag::ALGORITHM,
+                        value: KeyParameterValue::Algorithm(Algorithm::AES),
+                    },
+                    KeyParameter {
+                        tag: Tag::ATTESTATION_CHALLENGE,
+                        value: KeyParameterValue::Blob(vec![0; 16]),
+                    },
+                    KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) },
+                ];
+                let attestation_key = AttestationKey {
+                    keyBlob: blob.to_vec(),
+                    attestKeyParams: vec![],
+                    issuerSubjectName: parse_subject_from_certificate(&key.encodedCertChain)
+                        .unwrap(),
+                };
+
+                map_km_error(keymint.generateKey(&params, Some(&attestation_key)))
+            },
+            /*new_blob_handler=*/
+            |new_blob| {
+                // This handler is only executed if a key upgrade was performed.
+                key_upgraded = true;
+                let _wp = wd::watch_millis("Calling store_rkpd_attestation_key()", 500);
+                store_rkpd_attestation_key(&rpc_name, &key.keyBlob, new_blob).unwrap();
+                Ok(())
+            },
+        )
+        .unwrap();
+
+        if key_upgraded {
+            println!("RKPD key was upgraded and stored with RKPD.");
+        } else {
+            println!("RKPD key was NOT upgraded.");
+        }
+    }
+}
diff --git a/keystore2/src/super_key.rs b/keystore2/src/super_key.rs
index 128cf4c..898a8c2 100644
--- a/keystore2/src/super_key.rs
+++ b/keystore2/src/super_key.rs
@@ -78,26 +78,35 @@
     pub alias: &'a str,
     /// Encryption algorithm
     pub algorithm: SuperEncryptionAlgorithm,
+    /// What to call this key in log messages. Not used for anything else.
+    pub name: &'a str,
 }
 
 /// The user's AfterFirstUnlock super key. This super key is loaded into memory when the user first
 /// unlocks the device, and it remains in memory until the device reboots. This is used to encrypt
 /// keys that require user authentication but not an unlocked device.
-pub const USER_AFTER_FIRST_UNLOCK_SUPER_KEY: SuperKeyType =
-    SuperKeyType { alias: "USER_SUPER_KEY", algorithm: SuperEncryptionAlgorithm::Aes256Gcm };
+pub const USER_AFTER_FIRST_UNLOCK_SUPER_KEY: SuperKeyType = SuperKeyType {
+    alias: "USER_SUPER_KEY",
+    algorithm: SuperEncryptionAlgorithm::Aes256Gcm,
+    name: "AfterFirstUnlock super key",
+};
+
 /// The user's UnlockedDeviceRequired symmetric super key. This super key is loaded into memory each
 /// time the user unlocks the device, and it is cleared from memory each time the user locks the
 /// device. This is used to encrypt keys that use the UnlockedDeviceRequired key parameter.
 pub const USER_UNLOCKED_DEVICE_REQUIRED_SYMMETRIC_SUPER_KEY: SuperKeyType = SuperKeyType {
     alias: "USER_SCREEN_LOCK_BOUND_KEY",
     algorithm: SuperEncryptionAlgorithm::Aes256Gcm,
+    name: "UnlockedDeviceRequired symmetric super key",
 };
+
 /// The user's UnlockedDeviceRequired asymmetric super key. This is used to allow, while the device
 /// is locked, the creation of keys that use the UnlockedDeviceRequired key parameter. The private
 /// part of this key is loaded and cleared when the symmetric key is loaded and cleared.
 pub const USER_UNLOCKED_DEVICE_REQUIRED_P521_SUPER_KEY: SuperKeyType = SuperKeyType {
     alias: "USER_SCREEN_LOCK_BOUND_P521_KEY",
     algorithm: SuperEncryptionAlgorithm::EcdhP521,
+    name: "UnlockedDeviceRequired asymmetric super key",
 };
 
 /// Superencryption to apply to a new key.
@@ -717,6 +726,47 @@
         }
     }
 
+    fn create_super_key(
+        &mut self,
+        db: &mut KeystoreDB,
+        user_id: UserId,
+        key_type: &SuperKeyType,
+        password: &Password,
+        reencrypt_with: Option<Arc<SuperKey>>,
+    ) -> Result<Arc<SuperKey>> {
+        log::info!("Creating {} for user {}", key_type.name, user_id);
+        let (super_key, public_key) = match key_type.algorithm {
+            SuperEncryptionAlgorithm::Aes256Gcm => {
+                (generate_aes256_key().context(ks_err!("Failed to generate AES-256 key."))?, None)
+            }
+            SuperEncryptionAlgorithm::EcdhP521 => {
+                let key =
+                    ECDHPrivateKey::generate().context(ks_err!("Failed to generate ECDH key"))?;
+                (
+                    key.private_key().context(ks_err!("private_key failed"))?,
+                    Some(key.public_key().context(ks_err!("public_key failed"))?),
+                )
+            }
+        };
+        // Derive an AES-256 key from the password and re-encrypt the super key before we insert it
+        // in the database.
+        let (encrypted_super_key, blob_metadata) =
+            Self::encrypt_with_password(&super_key, password).context(ks_err!())?;
+        let mut key_metadata = KeyMetaData::new();
+        if let Some(pk) = public_key {
+            key_metadata.add(KeyMetaEntry::Sec1PublicKey(pk));
+        }
+        let key_entry = db
+            .store_super_key(user_id, key_type, &encrypted_super_key, &blob_metadata, &key_metadata)
+            .context(ks_err!("Failed to store super key."))?;
+        Ok(Arc::new(SuperKey {
+            algorithm: key_type.algorithm,
+            key: super_key,
+            id: SuperKeyIdentifier::DatabaseId(key_entry.id()),
+            reencrypt_with,
+        }))
+    }
+
     /// Fetch a superencryption key from the database, or create it if it doesn't already exist.
     /// When this is called, the caller must hold the lock on the SuperKeyManager.
     /// So it's OK that the check and creation are different DB transactions.
@@ -737,43 +787,7 @@
                 reencrypt_with,
             )?)
         } else {
-            let (super_key, public_key) = match key_type.algorithm {
-                SuperEncryptionAlgorithm::Aes256Gcm => (
-                    generate_aes256_key().context(ks_err!("Failed to generate AES 256 key."))?,
-                    None,
-                ),
-                SuperEncryptionAlgorithm::EcdhP521 => {
-                    let key = ECDHPrivateKey::generate()
-                        .context(ks_err!("Failed to generate ECDH key"))?;
-                    (
-                        key.private_key().context(ks_err!("private_key failed"))?,
-                        Some(key.public_key().context(ks_err!("public_key failed"))?),
-                    )
-                }
-            };
-            // Derive an AES256 key from the password and re-encrypt the super key
-            // before we insert it in the database.
-            let (encrypted_super_key, blob_metadata) =
-                Self::encrypt_with_password(&super_key, password).context(ks_err!())?;
-            let mut key_metadata = KeyMetaData::new();
-            if let Some(pk) = public_key {
-                key_metadata.add(KeyMetaEntry::Sec1PublicKey(pk));
-            }
-            let key_entry = db
-                .store_super_key(
-                    user_id,
-                    key_type,
-                    &encrypted_super_key,
-                    &blob_metadata,
-                    &key_metadata,
-                )
-                .context(ks_err!("Failed to store super key."))?;
-            Ok(Arc::new(SuperKey {
-                algorithm: key_type.algorithm,
-                key: super_key,
-                id: SuperKeyIdentifier::DatabaseId(key_entry.id()),
-                reencrypt_with,
-            }))
+            self.create_super_key(db, user_id, key_type, password, reencrypt_with)
         }
     }
 
diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index 80aa7c3..4fd9c8d 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -20,6 +20,7 @@
 use crate::ks_err;
 use crate::permission;
 use crate::permission::{KeyPerm, KeyPermSet, KeystorePerm};
+pub use crate::watchdog_helper::watchdog;
 use crate::{
     database::{KeyType, KeystoreDB},
     globals::LEGACY_IMPORTER,
@@ -268,7 +269,7 @@
     let mut current_time = libc::timespec { tv_sec: 0, tv_nsec: 0 };
     // SAFETY: The pointer is valid because it comes from a reference, and clock_gettime doesn't
     // retain it beyond the call.
-    unsafe { libc::clock_gettime(libc::CLOCK_MONOTONIC_RAW, &mut current_time) };
+    unsafe { libc::clock_gettime(libc::CLOCK_BOOTTIME, &mut current_time) };
     current_time.tv_sec as i64 * 1000 + (current_time.tv_nsec as i64 / 1_000_000)
 }
 
@@ -421,36 +422,6 @@
     Ok((legacy_keys.len() + num_keys_in_db) as i32)
 }
 
-/// This module provides helpers for simplified use of the watchdog module.
-#[cfg(feature = "watchdog")]
-pub mod watchdog {
-    pub use crate::watchdog::WatchPoint;
-    use crate::watchdog::Watchdog;
-    use lazy_static::lazy_static;
-    use std::sync::Arc;
-    use std::time::Duration;
-
-    lazy_static! {
-        /// A Watchdog thread, that can be used to create watch points.
-        static ref WD: Arc<Watchdog> = Watchdog::new(Duration::from_secs(10));
-    }
-
-    /// Sets a watch point with `id` and a timeout of `millis` milliseconds.
-    pub fn watch_millis(id: &'static str, millis: u64) -> Option<WatchPoint> {
-        Watchdog::watch(&WD, id, Duration::from_millis(millis))
-    }
-
-    /// Like `watch_millis` but with a callback that is called every time a report
-    /// is printed about this watch point.
-    pub fn watch_millis_with(
-        id: &'static str,
-        millis: u64,
-        callback: impl Fn() -> String + Send + 'static,
-    ) -> Option<WatchPoint> {
-        Watchdog::watch_with(&WD, id, Duration::from_millis(millis), callback)
-    }
-}
-
 /// Trait implemented by objects that can be used to decrypt cipher text using AES-GCM.
 pub trait AesGcm {
     /// Deciphers `data` using the initialization vector `iv` and AEAD tag `tag`
@@ -480,25 +451,6 @@
     }
 }
 
-/// This module provides empty/noop implementations of the watch dog utility functions.
-#[cfg(not(feature = "watchdog"))]
-pub mod watchdog {
-    /// Noop watch point.
-    pub struct WatchPoint();
-    /// Sets a Noop watch point.
-    fn watch_millis(_: &'static str, _: u64) -> Option<WatchPoint> {
-        None
-    }
-
-    pub fn watch_millis_with(
-        _: &'static str,
-        _: u64,
-        _: impl Fn() -> String + Send + 'static,
-    ) -> Option<WatchPoint> {
-        None
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/keystore2/src/watchdog_helper.rs b/keystore2/src/watchdog_helper.rs
new file mode 100644
index 0000000..92a0abc
--- /dev/null
+++ b/keystore2/src/watchdog_helper.rs
@@ -0,0 +1,64 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Helpers for the watchdog module.
+
+/// This module provides helpers for simplified use of the watchdog module.
+#[cfg(feature = "watchdog")]
+pub mod watchdog {
+    use lazy_static::lazy_static;
+    use std::sync::Arc;
+    use std::time::Duration;
+    pub use watchdog_rs::WatchPoint;
+    use watchdog_rs::Watchdog;
+
+    lazy_static! {
+        /// A Watchdog thread, that can be used to create watch points.
+        static ref WD: Arc<Watchdog> = Watchdog::new(Duration::from_secs(10));
+    }
+
+    /// Sets a watch point with `id` and a timeout of `millis` milliseconds.
+    pub fn watch_millis(id: &'static str, millis: u64) -> Option<WatchPoint> {
+        Watchdog::watch(&WD, id, Duration::from_millis(millis))
+    }
+
+    /// Like `watch_millis` but with a callback that is called every time a report
+    /// is printed about this watch point.
+    pub fn watch_millis_with(
+        id: &'static str,
+        millis: u64,
+        callback: impl Fn() -> String + Send + 'static,
+    ) -> Option<WatchPoint> {
+        Watchdog::watch_with(&WD, id, Duration::from_millis(millis), callback)
+    }
+}
+
+/// This module provides empty/noop implementations of the watch dog utility functions.
+#[cfg(not(feature = "watchdog"))]
+pub mod watchdog {
+    /// Noop watch point.
+    pub struct WatchPoint();
+    /// Sets a Noop watch point.
+    fn watch_millis(_: &'static str, _: u64) -> Option<WatchPoint> {
+        None
+    }
+
+    pub fn watch_millis_with(
+        _: &'static str,
+        _: u64,
+        _: impl Fn() -> String + Send + 'static,
+    ) -> Option<WatchPoint> {
+        None
+    }
+}
diff --git a/keystore2/watchdog/Android.bp b/keystore2/watchdog/Android.bp
new file mode 100644
index 0000000..62ede89
--- /dev/null
+++ b/keystore2/watchdog/Android.bp
@@ -0,0 +1,49 @@
+// Copyright 2023, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+    // See: http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // all of the 'license_kinds' from "system_security_license"
+    // to get the below license kinds:
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_security_license"],
+}
+
+rust_defaults {
+    name: "libwatchdog_defaults",
+    crate_name: "watchdog_rs",
+    srcs: ["src/lib.rs"],
+    rustlibs: [
+        "liblog_rust",
+    ]
+}
+
+rust_library {
+    name: "libwatchdog_rs",
+    defaults: ["libwatchdog_defaults"],
+    apex_available: [
+        "//apex_available:platform",
+        "com.android.virt",
+    ],
+}
+
+rust_test {
+    name: "libwatchdog_rs.test",
+    defaults: ["libwatchdog_defaults"],
+    test_suites: ["general-tests"],
+    rustlibs: [
+        "libandroid_logger",
+    ]
+}
diff --git a/keystore2/src/watchdog.rs b/keystore2/watchdog/src/lib.rs
similarity index 100%
rename from keystore2/src/watchdog.rs
rename to keystore2/watchdog/src/lib.rs
diff --git a/provisioner/Android.bp b/provisioner/Android.bp
index 0bf687d..605abb4 100644
--- a/provisioner/Android.bp
+++ b/provisioner/Android.bp
@@ -30,6 +30,7 @@
     ],
     shared_libs: [
         "libbinder_ndk",
+        "libcrypto",
         "liblog",
     ],
     static_libs: [
@@ -39,7 +40,6 @@
         "libbase",
         "libcppbor_external",
         "libcppcose_rkp",
-        "libcrypto_static",
         "libjsoncpp",
         "libkeymint_remote_prov_support",
         "libmediadrmrkp",