Remove Tag::PURPOSE before passing KeyParameters to km_dev.begin()
Some keymint/keymaster devices return an error if Tag::PURPOSE is
present in the key parameters passed to the keymint/keymaster device's
begin() method. So we remove that Tag from the KeyParameters. The
Tag::PURPOSE is communicated to begin() as a separate argument anyway,
so the begin() method still has all the information it needs.
Bug: 184861759
Test: Cuttlefish and Bramble boot
Change-Id: Ifb08565ea29b9d148879533164266ccd113618c9
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 1cf770f..f574467 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -278,6 +278,12 @@
},
)?;
+ // Remove Tag::PURPOSE from the operation_parameters, since some keymaster devices return
+ // an error on begin() if Tag::PURPOSE is in the operation_parameters.
+ let op_params: Vec<KeyParameter> =
+ operation_parameters.iter().filter(|p| p.tag != Tag::PURPOSE).cloned().collect();
+ let operation_parameters = op_params.as_slice();
+
let (immediate_hat, mut auth_info) = ENFORCEMENTS
.authorize_create(
purpose,