commit 38a3036be43f21c68c828ac4e9b91ed5d9e0fda0
author Treehugger Robot <treehugger-gerrit@google.com> Wed Apr 07 03:07:10 2021 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Apr 07 03:07:10 2021 +0000
tree 534baa6680819d9896749bf77ee13d3dcb5b94d5
parent 543003e7c6f5c5b0cc5f55942c0086b2db55ba8b
parent 850217779e30b18b940fbc21ee874d9d9a70ef62

Merge "Keystore 2.0: Fix permission check for device attestation." am: 850217779e

Original change: https://android-review.googlesource.com/c/platform/system/security/+/1665681

Change-Id: I05e5471e68e3260057d410635a8b113fd4dd2cc0

keystore2/src/security_level.rs

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 20f7226..50d697e 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -372,7 +372,7 @@
         if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
             check_key_permission(KeyPerm::gen_unique_id(), key, &None).context(concat!(
                 "In add_certificate_parameters: ",
-                "Caller does not have the permission for device unique attestation."
+                "Caller does not have the permission to generate a unique ID"
             ))?;
         }
 

keystore2/src/utils.rs

diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index 7b58205..48e9bfb 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -91,7 +91,13 @@
 
 /// This function checks whether a given tag corresponds to the access of device identifiers.
 pub fn is_device_id_attestation_tag(tag: Tag) -> bool {
-    matches!(tag, Tag::ATTESTATION_ID_IMEI | Tag::ATTESTATION_ID_MEID | Tag::ATTESTATION_ID_SERIAL)
+    matches!(
+        tag,
+        Tag::ATTESTATION_ID_IMEI
+            | Tag::ATTESTATION_ID_MEID
+            | Tag::ATTESTATION_ID_SERIAL
+            | Tag::DEVICE_UNIQUE_ATTESTATION
+    )
 }
 
 /// This function checks whether the calling app has the Android permissions needed to attest device