Cope with Keymaster->KeyMint device upgrade
When handling keyblob upgrade required, also watch out for an invalid
keyblob error that might indicate that a key used to be a
km_compat-wrapped Keymaster key.
In this situation, try stripping off the km_compat prefix and
attempt upgrade of the inner keyblob data instead.
Bug: 251426862
Bug: 283077822
Bug: 296403357
Test: tested with ARC upgrade, see b/296403357
Change-Id: I8539455e33ab2e1c97f26174476ee9d616269e74
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index db44d4b..44ca4c8 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -317,7 +317,6 @@
let (begin_result, upgraded_blob) = self
.upgrade_keyblob_if_required_with(
- &*self.keymint,
key_id_guard,
&km_blob,
blob_metadata.km_uuid().copied(),
@@ -561,7 +560,6 @@
issuer_subject,
}) => self
.upgrade_keyblob_if_required_with(
- &*self.keymint,
Some(key_id_guard),
&KeyBlob::Ref(&blob),
blob_metadata.km_uuid().copied(),
@@ -786,7 +784,6 @@
let (creation_result, _) = self
.upgrade_keyblob_if_required_with(
- &*self.keymint,
Some(wrapping_key_id_guard),
&wrapping_key_blob,
wrapping_blob_metadata.km_uuid().copied(),
@@ -842,7 +839,6 @@
fn upgrade_keyblob_if_required_with<T, F>(
&self,
- km_dev: &dyn IKeyMintDevice,
mut key_id_guard: Option<KeyIdGuard>,
key_blob: &KeyBlob,
km_uuid: Option<Uuid>,
@@ -853,7 +849,8 @@
F: Fn(&[u8]) -> Result<T, Error>,
{
let (v, upgraded_blob) = crate::utils::upgrade_keyblob_if_required_with(
- km_dev,
+ &*self.keymint,
+ self.hw_info.versionNumber,
key_blob,
params,
f,
@@ -893,6 +890,7 @@
{
crate::utils::upgrade_keyblob_if_required_with(
&*self.keymint,
+ self.hw_info.versionNumber,
key_blob,
params,
f,