Cope with Keymaster->KeyMint device upgrade When handling keyblob upgrade required, also watch out for an invalid keyblob error that might indicate that a key used to be a km_compat-wrapped Keymaster key. In this situation, try stripping off the km_compat prefix and attempt upgrade of the inner keyblob data instead. Bug: 251426862 Bug: 283077822 Bug: 296403357 Test: tested with ARC upgrade, see b/296403357 Change-Id: I8539455e33ab2e1c97f26174476ee9d616269e74

commit: 5accbaa18afb230a6c6325818cb0502e5fb74501 [log] [tgz]
author: David Drysdale <drysdale@google.com> Wed Apr 12 18:47:10 2023 +0100
committer: David Drysdale <drysdale@google.com> Tue Oct 10 07:04:50 2023 +0100
tree: 17b026625e135fb6ea88cd4c4d52e33db0f63f67
parent: 96db42596910a0012448dc883e26964403ec4aee [diff] [blame]
diff --git a/keystore2/src/rkpd_client.rs b/keystore2/src/rkpd_client.rs
index 938d389..7b4131d 100644
--- a/keystore2/src/rkpd_client.rs
+++ b/keystore2/src/rkpd_client.rs

@@ -666,7 +666,7 @@
     fn test_rkpd_attestation_key_upgrade() {
         binder::ProcessState::start_thread_pool();
         let security_level = SecurityLevel::TRUSTED_ENVIRONMENT;
-        let (keymint, _, _) = get_keymint_device(&security_level).unwrap();
+        let (keymint, info, _) = get_keymint_device(&security_level).unwrap();
         let key_id = get_next_key_id();
         let mut key_upgraded = false;
 
@@ -676,6 +676,7 @@
 
         upgrade_keyblob_if_required_with(
             &*keymint,
+            info.versionNumber,
             &key.keyBlob,
             /*upgrade_params=*/ &[],
             /*km_op=*/
commit	5accbaa18afb230a6c6325818cb0502e5fb74501	[log] [tgz]
author	David Drysdale <drysdale@google.com>	Wed Apr 12 18:47:10 2023 +0100
committer	David Drysdale <drysdale@google.com>	Tue Oct 10 07:04:50 2023 +0100
tree	17b026625e135fb6ea88cd4c4d52e33db0f63f67
parent	96db42596910a0012448dc883e26964403ec4aee [diff] [blame]