Enhance Security Logs for Clarity
Addressing numerous reports regarding
the output from the security_level file,
this update improves the logs and resolves
previous bugs.
Test: atest keystore2_test
Test: atest CtsKeystoreTestCases
Change-Id: I682c384383a39df4ee291c49500907e65d9e59aa
diff --git a/keystore2/src/legacy_importer.rs b/keystore2/src/legacy_importer.rs
index f9d5d1b..045f848 100644
--- a/keystore2/src/legacy_importer.rs
+++ b/keystore2/src/legacy_importer.rs
@@ -928,6 +928,6 @@
         },
         |_| Ok(()),
     )
-    .context(ks_err!("Key blob upgrade failed, possibly invalid keyblob for uuid {uuid:?}"))?;
+    .context(ks_err!("getKeyCharacteristics failed: possibly invalid keyblob for uuid {uuid:?}"))?;
     Ok((key_characteristics_to_internal(characteristics), upgraded_blob))
 }
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 951acb5..a53ccec 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -515,7 +515,7 @@
         flags: i32,
         _entropy: &[u8],
     ) -> Result<KeyMetadata> {
-        log::info!("security_level: generate_key(key={:?})", key);
+        log::info!("security_level: generate_key(key={:?})", key.alias);
         if key.domain != Domain::BLOB && key.alias.is_none() {
             return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
                 .context(ks_err!("Alias must be specified"));
@@ -586,9 +586,8 @@
                     },
                 )
                 .context(ks_err!(
-                    "While generating Key {:?} with remote \
-                    provisioned attestation key and params: {:?}.",
-                    key.alias,
+                    "While generating with a user-generated \
+                     attestation key, params: {:?}.",
                     log_security_safe_params(¶ms)
                 ))
                 .map(|(result, _)| result),
@@ -632,9 +631,8 @@
                 self.keymint.generateKey(¶ms, None)
             })
             .context(ks_err!(
-                "While generating Key {:?} with remote \
-                provisioned attestation key and params: {:?}.",
-                key.alias,
+                "While generating without a provided \
+                attestation key and params: {:?}.",
                 log_security_safe_params(¶ms)
             )),
         }
@@ -864,7 +862,6 @@
     where
         F: Fn(&[u8]) -> Result<T, Error>,
     {
-        log::info!("upgrade_keyblob_if_required_with(key_id={:?})", key_id_guard);
         let (v, upgraded_blob) = crate::utils::upgrade_keyblob_if_required_with(
             &*self.keymint,
             self.hw_info.versionNumber,
@@ -882,7 +879,7 @@
                 }
             },
         )
-        .context(ks_err!())?;
+        .context(ks_err!("upgrade_keyblob_if_required_with(key_id={:?})", key_id_guard))?;
 
         // If no upgrade was needed, use the opportunity to reencrypt the blob if required
         // and if the a key_id_guard is held. Note: key_id_guard can only be Some if no
@@ -905,10 +902,6 @@
     where
         F: Fn(&[u8]) -> Result<T, Error>,
     {
-        log::info!(
-            "upgrade_rkpd_keyblob_if_required_with(params={:?})",
-            log_security_safe_params(params)
-        );
         let rpc_name = get_remotely_provisioned_component_name(&self.security_level)
             .context(ks_err!("Trying to get IRPC name."))?;
         crate::utils::upgrade_keyblob_if_required_with(
@@ -926,7 +919,10 @@
                 }
             },
         )
-        .context(ks_err!())
+        .context(ks_err!(
+            "upgrade_rkpd_keyblob_if_required_with(params={:?})",
+            log_security_safe_params(params)
+        ))
     }
 
     fn convert_storage_key_to_ephemeral(
diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index c80bfa5..190258e 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -551,8 +551,8 @@
     items_to_return
 }
 
-/// Log the key parameters, excluding sensitive ones such as
-/// APPLICATION_DATA and APPLICATION_ID
+/// List all key aliases for a given domain + namespace. whose alias is greater
+/// than start_past_alias (if provided).
 pub fn list_key_entries(
     db: &mut KeystoreDB,
     domain: Domain,