Keystore and KeyMint version bump
Bug: 369375199
Test: Builds
Ignore-AOSP-First: Lands with other HAL version bump changes to avoid
build failure. At least one of the changes is internal. Will
cherry-pick to AOSP ASAP.
Change-Id: I46b6cc227ef7484932f298733efd73ec7dec2cf3
diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs
index 39d6f9c..0e8892b 100644
--- a/keystore2/src/globals.rs
+++ b/keystore2/src/globals.rs
@@ -271,17 +271,8 @@
// If the KeyMint device is back-level, use a wrapper that intercepts and
// emulates things that are not supported by the hardware.
let keymint = match hal_version {
- Some(300) => {
- // Current KeyMint version: use as-is as v3 Keymint is current version
- log::info!(
- "KeyMint device is current version ({:?}) for security level: {:?}",
- hal_version,
- security_level
- );
- keymint
- }
- Some(200) => {
- // Previous KeyMint version: use as-is as we don't have any software emulation of v3-specific KeyMint features.
+ Some(400) | Some(300) | Some(200) => {
+ // KeyMint v2+: use as-is (we don't have any software emulation of v3 or v4-specific KeyMint features).
log::info!(
"KeyMint device is current version ({:?}) for security level: {:?}",
hal_version,
diff --git a/keystore2/src/km_compat.rs b/keystore2/src/km_compat.rs
index 5e3bdfa..95e9294 100644
--- a/keystore2/src/km_compat.rs
+++ b/keystore2/src/km_compat.rs
@@ -214,6 +214,12 @@
fn sendRootOfTrust(&self, root_of_trust: &[u8]) -> binder::Result<()> {
self.real.sendRootOfTrust(root_of_trust)
}
+ fn setAdditionalAttestationInfo(
+ &self,
+ additional_attestation_info: &[KeyParameter],
+ ) -> binder::Result<()> {
+ self.real.setAdditionalAttestationInfo(additional_attestation_info)
+ }
// For methods that emit keyblobs, check whether the underlying real device
// supports the relevant parameters, and forward to the appropriate device.
diff --git a/keystore2/src/km_compat/km_compat.cpp b/keystore2/src/km_compat/km_compat.cpp
index e9ff1ff..7a6ef4a 100644
--- a/keystore2/src/km_compat/km_compat.cpp
+++ b/keystore2/src/km_compat/km_compat.cpp
@@ -839,6 +839,11 @@
return convertErrorCode(KMV1::ErrorCode::UNIMPLEMENTED);
}
+ScopedAStatus KeyMintDevice::setAdditionalAttestationInfo(
+ const std::vector<KeyParameter>& /* additionalAttestationInfo */) {
+ return convertErrorCode(KMV1::ErrorCode::UNIMPLEMENTED);
+}
+
ScopedAStatus KeyMintOperation::updateAad(const std::vector<uint8_t>& input,
const std::optional<HardwareAuthToken>& optAuthToken,
const std::optional<TimeStampToken>& optTimeStampToken) {
diff --git a/keystore2/src/km_compat/km_compat.h b/keystore2/src/km_compat/km_compat.h
index c4bcdaa..71f7fbe 100644
--- a/keystore2/src/km_compat/km_compat.h
+++ b/keystore2/src/km_compat/km_compat.h
@@ -147,6 +147,9 @@
std::vector<uint8_t>* rootOfTrust);
ScopedAStatus sendRootOfTrust(const std::vector<uint8_t>& rootOfTrust);
+ ScopedAStatus
+ setAdditionalAttestationInfo(const std::vector<KeyParameter>& additionalAttestationInfo);
+
// These are public to allow testing code to use them directly.
// This class should not be used publicly anyway.
std::variant<std::vector<Certificate>, KMV1_ErrorCode>
diff --git a/keystore2/src/km_compat/km_compat_type_conversion.h b/keystore2/src/km_compat/km_compat_type_conversion.h
index 5db7e3d..d6a2dcc 100644
--- a/keystore2/src/km_compat/km_compat_type_conversion.h
+++ b/keystore2/src/km_compat/km_compat_type_conversion.h
@@ -750,8 +750,12 @@
case KMV1::Tag::CERTIFICATE_SUBJECT:
case KMV1::Tag::CERTIFICATE_NOT_BEFORE:
case KMV1::Tag::CERTIFICATE_NOT_AFTER:
+ // These tags do not exist in KM < KeyMint 1.
+ break;
case KMV1::Tag::ATTESTATION_ID_SECOND_IMEI:
- // These tags do not exist in KM < KeyMint 1.0.
+ // This tag doesn't exist in KM < KeyMint 3.
+ case KMV1::Tag::MODULE_HASH:
+ // This tag doesn't exist in KM < KeyMint 4.
break;
case KMV1::Tag::MAX_BOOT_LEVEL:
// Does not exist in API level 30 or below.