Cope with Keymaster->KeyMint device upgrade When handling keyblob upgrade required, also watch out for an invalid keyblob error that might indicate that a key used to be a km_compat-wrapped Keymaster key. In this situation, try stripping off the km_compat prefix and attempt upgrade of the inner keyblob data instead. Bug: 251426862 Bug: 283077822 Bug: 296403357 Test: tested with ARC upgrade, see b/296403357 Change-Id: I8539455e33ab2e1c97f26174476ee9d616269e74

commit: 5accbaa18afb230a6c6325818cb0502e5fb74501 [log] [tgz]
author: David Drysdale <drysdale@google.com> Wed Apr 12 18:47:10 2023 +0100
committer: David Drysdale <drysdale@google.com> Tue Oct 10 07:04:50 2023 +0100
tree: 17b026625e135fb6ea88cd4c4d52e33db0f63f67
parent: 96db42596910a0012448dc883e26964403ec4aee [diff] [blame]
diff --git a/keystore2/src/km_compat.rs b/keystore2/src/km_compat.rs
index 035edd9..8eba02d 100644
--- a/keystore2/src/km_compat.rs
+++ b/keystore2/src/km_compat.rs

@@ -32,6 +32,11 @@
 use anyhow::Context;
 use keystore2_crypto::{hmac_sha256, HMAC_SHA256_LEN};
 
+/// Magic prefix used by the km_compat C++ code to mark a key that is owned by an
+/// underlying Keymaster hardware device that has been wrapped by km_compat. (The
+/// final zero byte indicates that the blob is not software emulated.)
+pub const KEYMASTER_BLOB_HW_PREFIX: &[u8] = b"pKMblob\x00";
+
 /// Key data associated with key generation/import.
 #[derive(Debug, PartialEq, Eq)]
 pub enum KeyImportData<'a> {
commit	5accbaa18afb230a6c6325818cb0502e5fb74501	[log] [tgz]
author	David Drysdale <drysdale@google.com>	Wed Apr 12 18:47:10 2023 +0100
committer	David Drysdale <drysdale@google.com>	Tue Oct 10 07:04:50 2023 +0100
tree	17b026625e135fb6ea88cd4c4d52e33db0f63f67
parent	96db42596910a0012448dc883e26964403ec4aee [diff] [blame]