Merge "Add C++ bindings for Keystore flags" into main
diff --git a/fsverity/OWNERS b/fsverity/OWNERS
index f9e7b25..1f2485a 100644
--- a/fsverity/OWNERS
+++ b/fsverity/OWNERS
@@ -1,4 +1,3 @@
-alanstokes@google.com
 ebiggers@google.com
 jeffv@google.com
 jiyong@google.com
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index 626a1c0..34e0c59 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -1163,14 +1163,6 @@
         let mut persistent_path_str = "file:".to_owned();
         persistent_path_str.push_str(&persistent_path.to_string_lossy());
 
-        // Connect to database in specific mode
-        let persistent_path_mode = if keystore2_flags::wal_db_journalmode_v3() {
-            "?journal_mode=WAL".to_owned()
-        } else {
-            "?journal_mode=DELETE".to_owned()
-        };
-        persistent_path_str.push_str(&persistent_path_mode);
-
         Ok(persistent_path_str)
     }
 
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index 2bdafd4..a1ce5f6 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -129,6 +129,6 @@
     // by the calling function and allow for natural fallback to the factory key.
     let rpc_name = get_remotely_provisioned_component_name(security_level)
         .context(ks_err!("Trying to get IRPC name."))?;
-    let _wd = wd::watch("Calling get_rkpd_attestation_key()");
+    let _wd = wd::watch_millis("Calling get_rkpd_attestation_key()", 1000);
     rkpd_client::get_rkpd_attestation_key(&rpc_name, caller_uid)
 }
diff --git a/keystore2/tests/keystore2_client_attest_key_tests.rs b/keystore2/tests/keystore2_client_attest_key_tests.rs
index 02dfd3f..553add0 100644
--- a/keystore2/tests/keystore2_client_attest_key_tests.rs
+++ b/keystore2/tests/keystore2_client_attest_key_tests.rs
@@ -13,7 +13,8 @@
 // limitations under the License.
 
 use crate::keystore2_client_test_utils::{
-    app_attest_key_feature_exists, device_id_attestation_feature_exists, get_attest_id_value,
+    app_attest_key_feature_exists, device_id_attestation_check_acceptable_error,
+    device_id_attestation_feature_exists, get_attest_id_value,
     is_second_imei_id_attestation_required, skip_device_id_attest_tests,
 };
 use crate::{
@@ -558,7 +559,7 @@
 }
 
 /// Try to generate an attested key with attestation of invalid device's identifiers. Test should
-/// fail with error response code `CANNOT_ATTEST_IDS`.
+/// fail to generate a key with proper error code.
 #[test]
 fn keystore2_attest_key_fails_with_invalid_attestation_id() {
     skip_test_if_no_device_id_attestation_feature!();
@@ -602,7 +603,7 @@
         ));
 
         assert!(result.is_err());
-        assert_eq!(result.unwrap_err(), Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
+        device_id_attestation_check_acceptable_error(attest_id, result.unwrap_err());
     }
 }
 
diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
index 91370c7..fb84808 100644
--- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
+++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
@@ -13,8 +13,9 @@
 // limitations under the License.
 
 use crate::keystore2_client_test_utils::{
-    delete_app_key, get_attest_id_value, is_second_imei_id_attestation_required,
-    perform_sample_asym_sign_verify_op, skip_device_unique_attestation_tests,
+    delete_app_key, device_id_attestation_check_acceptable_error, get_attest_id_value,
+    is_second_imei_id_attestation_required, perform_sample_asym_sign_verify_op,
+    skip_device_unique_attestation_tests,
 };
 use crate::require_keymint;
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
@@ -254,7 +255,7 @@
 }
 
 /// Try to generate a device unique attested key with attestation of invalid device's identifiers.
-/// Test should fail with error response code `CANNOT_ATTEST_IDS`.
+/// Test should fail to generate a key with proper error code.
 #[test]
 fn keystore2_device_unique_attest_key_fails_with_invalid_attestation_id() {
     let Some(sl) = SecLevel::strongbox() else { return };
@@ -288,7 +289,7 @@
         let result =
             key_generations::map_ks_error(key_generations::generate_key(&sl, &gen_params, alias));
         assert!(result.is_err());
-        assert_eq!(result.unwrap_err(), Error::Km(ErrorCode::CANNOT_ATTEST_IDS));
+        device_id_attestation_check_acceptable_error(attest_id, result.unwrap_err());
     }
 }
 
diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs
index 1bbdc91..8d70866 100644
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@@ -618,3 +618,25 @@
     let serial_num = cert.serial_number();
     assert_eq!(serial_num.to_bn().as_ref().unwrap(), expected_serial_num);
 }
+
+/// Check the error code from an attempt to perform device ID attestation with an invalid value.
+pub fn device_id_attestation_check_acceptable_error(attest_id_tag: Tag, e: Error) {
+    match e {
+        // Standard/default error code for ID mismatch.
+        Error::Km(ErrorCode::CANNOT_ATTEST_IDS) => {}
+        Error::Km(ErrorCode::INVALID_TAG) if get_vsr_api_level() < 34 => {
+            // Allow older implementations to (incorrectly) use INVALID_TAG.
+        }
+        Error::Km(ErrorCode::ATTESTATION_IDS_NOT_PROVISIONED)
+            if matches!(
+                attest_id_tag,
+                Tag::ATTESTATION_ID_IMEI
+                    | Tag::ATTESTATION_ID_MEID
+                    | Tag::ATTESTATION_ID_SECOND_IMEI
+            ) =>
+        {
+            // Non-phone devices will not have IMEI/MEID provisioned.
+        }
+        _ => panic!("Unexpected error {e:?} on ID mismatch for {attest_id_tag:?}"),
+    }
+}
diff --git a/prng_seeder/src/main.rs b/prng_seeder/src/main.rs
index d112d61..c6adfd4 100644
--- a/prng_seeder/src/main.rs
+++ b/prng_seeder/src/main.rs
@@ -69,11 +69,11 @@
 }
 
 fn setup() -> Result<(ConditionerBuilder, UnixListener)> {
+    configure_logging()?;
+    let cli = Cli::try_parse()?;
     // SAFETY: nobody has taken ownership of the inherited FDs yet.
     unsafe { rustutils::inherited_fd::init_once() }
         .context("In setup, failed to own inherited FDs")?;
-    configure_logging()?;
-    let cli = Cli::try_parse()?;
     // SAFETY: Nothing else sets the signal handler, so either it was set here or it is the default.
     unsafe { signal::signal(signal::Signal::SIGPIPE, signal::SigHandler::SigIgn) }
         .context("In setup, setting SIGPIPE to SIG_IGN")?;