Merge "Migrate Test Targets to New Android Ownership Model" into main
diff --git a/fsverity_init/Android.bp b/fsverity_init/Android.bp
index d9bff3b..5588493 100644
--- a/fsverity_init/Android.bp
+++ b/fsverity_init/Android.bp
@@ -22,12 +22,17 @@
         "libkeyutils",
         "liblog",
     ],
-    cflags: ["-Werror", "-Wall", "-Wextra"],
+    cflags: [
+        "-Werror",
+        "-Wall",
+        "-Wextra",
+    ],
 }
 
 aconfig_declarations {
     name: "aconfig_fsverity_init",
     package: "android.security.flag",
+    container: "system",
     srcs: ["flags.aconfig"],
 }
 
diff --git a/fsverity_init/flags.aconfig b/fsverity_init/flags.aconfig
index 20640d7..495c71c 100644
--- a/fsverity_init/flags.aconfig
+++ b/fsverity_init/flags.aconfig
@@ -1,4 +1,5 @@
 package: "android.security.flag"
+container: "system"
 
 flag {
     name: "deprecate_fsverity_init"
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index ad151ad..7cb7c37 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -158,6 +158,7 @@
 aconfig_declarations {
     name: "keystore2_flags",
     package: "android.security.keystore2",
+    container: "system",
     srcs: ["aconfig/flags.aconfig"],
 }
 
diff --git a/keystore2/aconfig/flags.aconfig b/keystore2/aconfig/flags.aconfig
index 133c4ab..b67bc6c 100644
--- a/keystore2/aconfig/flags.aconfig
+++ b/keystore2/aconfig/flags.aconfig
@@ -1,4 +1,5 @@
 package: "android.security.keystore2"
+container: "system"
 
 flag {
   name: "wal_db_journalmode_v3"
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
index e612db9..abea958 100644
--- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
+++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl
@@ -151,7 +151,8 @@
      * (addition of a fingerprint, for example), authentication-bound keys may be invalidated.
      * This method allows the platform to find out which apps would be affected (for a given user)
      * when a given user secure ID is removed.
-     * Callers require 'ChangeUser' permission.
+     * Callers require the `android.permission.MANAGE_USERS` Android permission
+     * (not SELinux policy).
      *
      * @param userId The affected user.
      * @param sid The user secure ID - identifier of the authentication method.
diff --git a/keystore2/selinux/src/concurrency_test.rs b/keystore2/selinux/src/concurrency_test.rs
index a5d2df2..fa97f3a 100644
--- a/keystore2/selinux/src/concurrency_test.rs
+++ b/keystore2/selinux/src/concurrency_test.rs
@@ -69,7 +69,7 @@
     android_logger::init_once(
         android_logger::Config::default()
             .with_tag("keystore2_selinux_concurrency_test")
-            .with_min_level(log::Level::Debug),
+            .with_max_level(log::LevelFilter::Debug),
     );
 
     let cpus = num_cpus::get();
diff --git a/keystore2/selinux/src/lib.rs b/keystore2/selinux/src/lib.rs
index 32fdb59..695e029 100644
--- a/keystore2/selinux/src/lib.rs
+++ b/keystore2/selinux/src/lib.rs
@@ -720,7 +720,7 @@
                     android_logger::init_once(
                         android_logger::Config::default()
                             .with_tag("keystore_selinux_tests")
-                            .with_min_level(log::Level::Debug),
+                            .with_max_level(log::LevelFilter::Debug),
                     );
                     let scontext = Context::new("u:r:shell:s0")?;
                     let backend = KeystoreKeyBackend::new()?;
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index 0a1c547..b526daa 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -761,22 +761,22 @@
 }
 
 /// Database representation of the monotonic time retrieved from the system call clock_gettime with
-/// CLOCK_MONOTONIC_RAW. Stores monotonic time as i64 in milliseconds.
+/// CLOCK_BOOTTIME. Stores monotonic time as i64 in milliseconds.
 #[derive(Debug, Copy, Clone, Default, Eq, PartialEq, Ord, PartialOrd)]
-pub struct MonotonicRawTime(i64);
+pub struct BootTime(i64);
 
-impl MonotonicRawTime {
-    /// Constructs a new MonotonicRawTime
+impl BootTime {
+    /// Constructs a new BootTime
     pub fn now() -> Self {
         Self(get_current_time_in_milliseconds())
     }
 
-    /// Returns the value of MonotonicRawTime in milliseconds as i64
+    /// Returns the value of BootTime in milliseconds as i64
     pub fn milliseconds(&self) -> i64 {
         self.0
     }
 
-    /// Returns the integer value of MonotonicRawTime as i64
+    /// Returns the integer value of BootTime as i64
     pub fn seconds(&self) -> i64 {
         self.0 / 1000
     }
@@ -787,13 +787,13 @@
     }
 }
 
-impl ToSql for MonotonicRawTime {
+impl ToSql for BootTime {
     fn to_sql(&self) -> rusqlite::Result<ToSqlOutput> {
         Ok(ToSqlOutput::Owned(Value::Integer(self.0)))
     }
 }
 
-impl FromSql for MonotonicRawTime {
+impl FromSql for BootTime {
     fn column_result(value: ValueRef) -> FromSqlResult<Self> {
         Ok(Self(i64::column_result(value)?))
     }
@@ -805,11 +805,11 @@
 pub struct AuthTokenEntry {
     auth_token: HardwareAuthToken,
     // Time received in milliseconds
-    time_received: MonotonicRawTime,
+    time_received: BootTime,
 }
 
 impl AuthTokenEntry {
-    fn new(auth_token: HardwareAuthToken, time_received: MonotonicRawTime) -> Self {
+    fn new(auth_token: HardwareAuthToken, time_received: BootTime) -> Self {
         AuthTokenEntry { auth_token, time_received }
     }
 
@@ -832,7 +832,7 @@
     }
 
     /// Returns the time that this auth token was received.
-    pub fn time_received(&self) -> MonotonicRawTime {
+    pub fn time_received(&self) -> BootTime {
         self.time_received
     }
 
@@ -1167,9 +1167,9 @@
                     "DELETE FROM persistent.blobmetadata WHERE blobentryid = ?;",
                     params![blob_id],
                 )
-                .context("Trying to delete blob metadata.")?;
+                .context(ks_err!("Trying to delete blob metadata: {:?}", blob_id))?;
                 tx.execute("DELETE FROM persistent.blobentry WHERE id = ?;", params![blob_id])
-                    .context("Trying to blob.")?;
+                    .context(ks_err!("Trying to delete blob: {:?}", blob_id))?;
             }
 
             Self::cleanup_unreferenced(tx).context("Trying to cleanup unreferenced.")?;
@@ -2858,14 +2858,12 @@
 
     /// Insert or replace the auth token based on (user_id, auth_id, auth_type)
     pub fn insert_auth_token(&mut self, auth_token: &HardwareAuthToken) {
-        self.perboot.insert_auth_token_entry(AuthTokenEntry::new(
-            auth_token.clone(),
-            MonotonicRawTime::now(),
-        ))
+        self.perboot
+            .insert_auth_token_entry(AuthTokenEntry::new(auth_token.clone(), BootTime::now()))
     }
 
     /// Find the newest auth token matching the given predicate.
-    pub fn find_auth_token_entry<F>(&self, p: F) -> Option<(AuthTokenEntry, MonotonicRawTime)>
+    pub fn find_auth_token_entry<F>(&self, p: F) -> Option<(AuthTokenEntry, BootTime)>
     where
         F: Fn(&AuthTokenEntry) -> bool,
     {
@@ -2873,17 +2871,17 @@
     }
 
     /// Insert last_off_body into the metadata table at the initialization of auth token table
-    pub fn insert_last_off_body(&self, last_off_body: MonotonicRawTime) {
+    pub fn insert_last_off_body(&self, last_off_body: BootTime) {
         self.perboot.set_last_off_body(last_off_body)
     }
 
     /// Update last_off_body when on_device_off_body is called
-    pub fn update_last_off_body(&self, last_off_body: MonotonicRawTime) {
+    pub fn update_last_off_body(&self, last_off_body: BootTime) {
         self.perboot.set_last_off_body(last_off_body)
     }
 
     /// Get last_off_body time when finding auth tokens
-    fn get_last_off_body(&self) -> MonotonicRawTime {
+    fn get_last_off_body(&self) -> BootTime {
         self.perboot.get_last_off_body()
     }
 
@@ -5054,13 +5052,13 @@
     #[test]
     fn test_last_off_body() -> Result<()> {
         let mut db = new_test_db()?;
-        db.insert_last_off_body(MonotonicRawTime::now());
+        db.insert_last_off_body(BootTime::now());
         let tx = db.conn.transaction_with_behavior(TransactionBehavior::Immediate)?;
         tx.commit()?;
         let last_off_body_1 = db.get_last_off_body();
         let one_second = Duration::from_secs(1);
         thread::sleep(one_second);
-        db.update_last_off_body(MonotonicRawTime::now());
+        db.update_last_off_body(BootTime::now());
         let tx2 = db.conn.transaction_with_behavior(TransactionBehavior::Immediate)?;
         tx2.commit()?;
         let last_off_body_2 = db.get_last_off_body();
diff --git a/keystore2/src/database/perboot.rs b/keystore2/src/database/perboot.rs
index 7ff35fa..1b7c80d 100644
--- a/keystore2/src/database/perboot.rs
+++ b/keystore2/src/database/perboot.rs
@@ -15,7 +15,7 @@
 //! This module implements a per-boot, shared, in-memory storage of auth tokens
 //! and last-time-on-body for the main Keystore 2.0 database module.
 
-use super::{AuthTokenEntry, MonotonicRawTime};
+use super::{AuthTokenEntry, BootTime};
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     HardwareAuthToken::HardwareAuthToken, HardwareAuthenticatorType::HardwareAuthenticatorType,
 };
@@ -103,11 +103,11 @@
         matches.last().map(|x| x.0.clone())
     }
     /// Get the last time the device was off the user's body
-    pub fn get_last_off_body(&self) -> MonotonicRawTime {
-        MonotonicRawTime(self.last_off_body.load(Ordering::Relaxed))
+    pub fn get_last_off_body(&self) -> BootTime {
+        BootTime(self.last_off_body.load(Ordering::Relaxed))
     }
     /// Set the last time the device was off the user's body
-    pub fn set_last_off_body(&self, last_off_body: MonotonicRawTime) {
+    pub fn set_last_off_body(&self, last_off_body: BootTime) {
         self.last_off_body.store(last_off_body.0, Ordering::Relaxed)
     }
     /// Return how many auth tokens are currently tracked.
diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs
index 04f26e9..55c9591 100644
--- a/keystore2/src/enforcements.rs
+++ b/keystore2/src/enforcements.rs
@@ -20,7 +20,7 @@
 use crate::key_parameter::{KeyParameter, KeyParameterValue};
 use crate::{authorization::Error as AuthzError, super_key::SuperEncryptionType};
 use crate::{
-    database::{AuthTokenEntry, MonotonicRawTime},
+    database::{AuthTokenEntry, BootTime},
     globals::SUPER_KEY,
 };
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
@@ -614,7 +614,7 @@
                     })
                     .ok_or(Error::Km(Ec::KEY_USER_NOT_AUTHENTICATED))
                     .context(ks_err!("No suitable auth token found."))?;
-                let now = MonotonicRawTime::now();
+                let now = BootTime::now();
                 let token_age = now
                     .checked_sub(&hat.time_received())
                     .ok_or_else(Error::sys)
@@ -680,7 +680,7 @@
         // Now check the validity of the auth token if the key is timeout bound.
         let hat = match (hat_and_last_off_body, key_time_out) {
             (Some((hat, last_off_body)), Some(key_time_out)) => {
-                let now = MonotonicRawTime::now();
+                let now = BootTime::now();
                 let token_age = now
                     .checked_sub(&hat.time_received())
                     .ok_or_else(Error::sys)
@@ -728,7 +728,7 @@
         })
     }
 
-    fn find_auth_token<F>(p: F) -> Option<(AuthTokenEntry, MonotonicRawTime)>
+    fn find_auth_token<F>(p: F) -> Option<(AuthTokenEntry, BootTime)>
     where
         F: Fn(&AuthTokenEntry) -> bool,
     {
@@ -853,7 +853,7 @@
         } else {
             // Filter the matching auth tokens by age.
             if auth_token_max_age_millis != 0 {
-                let now_in_millis = MonotonicRawTime::now();
+                let now_in_millis = BootTime::now();
                 let result = Self::find_auth_token(|auth_token_entry: &AuthTokenEntry| {
                     let token_valid = now_in_millis
                         .checked_sub(&auth_token_entry.time_received())
@@ -889,7 +889,7 @@
         &self,
         secure_user_id: i64,
         auth_type: HardwareAuthenticatorType,
-    ) -> Option<MonotonicRawTime> {
+    ) -> Option<BootTime> {
         let sids: Vec<i64> = vec![secure_user_id];
 
         let result =
diff --git a/keystore2/src/error.rs b/keystore2/src/error.rs
index b4c57fb..f0d0d27 100644
--- a/keystore2/src/error.rs
+++ b/keystore2/src/error.rs
@@ -352,7 +352,7 @@
         android_logger::init_once(
             android_logger::Config::default()
                 .with_tag("keystore_error_tests")
-                .with_min_level(log::Level::Debug),
+                .with_max_level(log::LevelFilter::Debug),
         );
         // All Error::Rc(x) get mapped on a service specific error
         // code of x.
diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs
index 0f899ed..eb755a6 100644
--- a/keystore2/src/globals.rs
+++ b/keystore2/src/globals.rs
@@ -23,7 +23,7 @@
 use crate::legacy_importer::LegacyImporter;
 use crate::super_key::SuperKeyManager;
 use crate::utils::watchdog as wd;
-use crate::{async_task::AsyncTask, database::MonotonicRawTime};
+use crate::{async_task::AsyncTask, database::BootTime};
 use crate::{
     database::KeystoreDB,
     database::Uuid,
@@ -68,7 +68,7 @@
 
     DB_INIT.call_once(|| {
         log::info!("Touching Keystore 2.0 database for this first time since boot.");
-        db.insert_last_off_body(MonotonicRawTime::now());
+        db.insert_last_off_body(BootTime::now());
         log::info!("Calling cleanup leftovers.");
         let n = db.cleanup_leftovers().expect("Failed to cleanup database on startup.");
         if n != 0 {
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index 8c0ac48..3e34cff 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -14,7 +14,7 @@
 
 //! This module implements IKeystoreMaintenance AIDL interface.
 
-use crate::database::{KeyEntryLoadBits, KeyType, MonotonicRawTime};
+use crate::database::{BootTime, KeyEntryLoadBits, KeyType};
 use crate::error::map_km_error;
 use crate::error::map_or_log_err;
 use crate::error::Error;
@@ -24,7 +24,8 @@
 use crate::permission::{KeyPerm, KeystorePerm};
 use crate::super_key::{SuperKeyManager, UserState};
 use crate::utils::{
-    check_key_permission, check_keystore_permission, uid_to_android_user, watchdog as wd,
+    check_get_app_uids_affected_by_sid_permissions, check_key_permission,
+    check_keystore_permission, uid_to_android_user, watchdog as wd,
 };
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     IKeyMintDevice::IKeyMintDevice, SecurityLevel::SecurityLevel,
@@ -227,7 +228,7 @@
         // Security critical permission check. This statement must return on fail.
         check_keystore_permission(KeystorePerm::ReportOffBody).context(ks_err!())?;
 
-        DB.with(|db| db.borrow_mut().update_last_off_body(MonotonicRawTime::now()));
+        DB.with(|db| db.borrow_mut().update_last_off_body(BootTime::now()));
         Ok(())
     }
 
@@ -292,8 +293,9 @@
         secure_user_id: i64,
     ) -> Result<std::vec::Vec<i64>> {
         // This method is intended to be called by Settings and discloses a list of apps
-        // associated with a user, so it requires the ChangeUser permission.
-        check_keystore_permission(KeystorePerm::ChangeUser).context(ks_err!())?;
+        // associated with a user, so it requires the "android.permission.MANAGE_USERS"
+        // permission (to avoid leaking list of apps to unauthorized callers).
+        check_get_app_uids_affected_by_sid_permissions().context(ks_err!())?;
         DB.with(|db| db.borrow_mut().get_app_uids_affected_by_sid(user_id, secure_user_id))
             .context(ks_err!("Failed to get app UIDs affected by SID"))
     }
diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index 174a22b..a3fd882 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -129,6 +129,15 @@
     check_android_permission("android.permission.REQUEST_UNIQUE_ID_ATTESTATION")
 }
 
+/// This function checks whether the calling app has the Android permissions needed to manage
+/// users. Only callers that can manage users are allowed to get a list of apps affected
+/// by a user's SID changing.
+/// It throws an error if the permissions cannot be verified or if the caller doesn't
+/// have the right permissions. Otherwise it returns silently.
+pub fn check_get_app_uids_affected_by_sid_permissions() -> anyhow::Result<()> {
+    check_android_permission("android.permission.MANAGE_USERS")
+}
+
 fn check_android_permission(permission: &str) -> anyhow::Result<()> {
     let permission_controller: Strong<dyn IPermissionController::IPermissionController> =
         binder::get_interface("permission")?;
diff --git a/keystore2/test_utils/ffi_test_utils.cpp b/keystore2/test_utils/ffi_test_utils.cpp
index 4e781d1..ea03069 100644
--- a/keystore2/test_utils/ffi_test_utils.cpp
+++ b/keystore2/test_utils/ffi_test_utils.cpp
@@ -155,11 +155,19 @@
         }
 
         if (!X509_verify(key_cert.get(), signing_pubkey.get())) {
-            LOG(ERROR) << "Verification of certificate " << i << " failed "
-                       << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL)
-                       << '\n'
-                       << cert_data.str();
-            return false;
+            // Handles the case of device-unique attestation chain which is not expected to be
+            // self-signed - b/191361618
+            // For device-unique attestation chain `strict_issuer_check` is not set, so ignore the
+            // root certificate signature verification result and in all other cases return the
+            // error.
+            bool is_root_cert = (i == chain.size() - 1);
+            if (strict_issuer_check || !is_root_cert) {
+                LOG(ERROR) << "Verification of certificate " << i << " failed "
+                           << "OpenSSL error string: " << ERR_error_string(ERR_get_error(), NULL)
+                           << '\n'
+                           << cert_data.str();
+                return false;
+            }
         }
 
         string cert_issuer = x509NameToStr(X509_get_issuer_name(key_cert.get()));
diff --git a/keystore2/test_utils/key_generations.rs b/keystore2/test_utils/key_generations.rs
index 9ddc87a..a733be3 100644
--- a/keystore2/test_utils/key_generations.rs
+++ b/keystore2/test_utils/key_generations.rs
@@ -410,6 +410,11 @@
 ) {
     // Make sure key authorizations contains only `ALLOWED_TAGS_IN_KEY_AUTHS`
     authorizations.iter().all(|auth| {
+        // Ignore `INVALID` tag if the backend is Keymaster and not KeyMint.
+        // Keymaster allows INVALID tag for unsupported key parameters.
+        if !has_default_keymint() && auth.keyParameter.tag == Tag::INVALID {
+            return true;
+        }
         assert!(
             ALLOWED_TAGS_IN_KEY_AUTHS.contains(&auth.keyParameter.tag),
             "key authorization is not allowed: {:#?}",
@@ -427,6 +432,21 @@
         {
             return true;
         }
+
+        // Ignore below parameters if the backend is Keymaster and not KeyMint.
+        // Keymaster does not support these parameters. These key parameters are introduced in
+        // KeyMint1.0.
+        if !has_default_keymint() {
+            if matches!(key_param.tag, Tag::RSA_OAEP_MGF_DIGEST | Tag::USAGE_COUNT_LIMIT) {
+                return true;
+            }
+            if key_param.tag == Tag::PURPOSE
+                && key_param.value == KeyParameterValue::KeyPurpose(KeyPurpose::ATTEST_KEY)
+            {
+                return true;
+            }
+        }
+
         if ALLOWED_TAGS_IN_KEY_AUTHS.contains(&key_param.tag) {
             assert!(
                 check_key_param(authorizations, key_param),
diff --git a/keystore2/tests/keystore2_client_attest_key_tests.rs b/keystore2/tests/keystore2_client_attest_key_tests.rs
index 3532a35..454248a 100644
--- a/keystore2/tests/keystore2_client_attest_key_tests.rs
+++ b/keystore2/tests/keystore2_client_attest_key_tests.rs
@@ -31,12 +31,13 @@
 use keystore2_test_utils::ffi_test_utils::{get_value_from_attest_record, validate_certchain};
 
 use crate::{
-    skip_test_if_no_app_attest_key_feature, skip_test_if_no_device_id_attestation_feature,
+    skip_device_id_attestation_tests, skip_test_if_no_app_attest_key_feature,
+    skip_test_if_no_device_id_attestation_feature,
 };
 
 use crate::keystore2_client_test_utils::{
     app_attest_key_feature_exists, device_id_attestation_feature_exists, get_attest_id_value,
-    is_second_imei_id_attestation_required,
+    is_second_imei_id_attestation_required, skip_device_id_attest_tests,
 };
 
 /// Generate RSA and EC attestation keys and use them for signing RSA-signing keys.
@@ -522,6 +523,8 @@
 /// INVALID_TAG`
 fn generate_attested_key_with_device_attest_ids(algorithm: Algorithm) {
     skip_test_if_no_device_id_attestation_feature!();
+    skip_device_id_attestation_tests!();
+    skip_test_if_no_app_attest_key_feature!();
     let keystore2 = get_keystore_service();
     let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
 
diff --git a/keystore2/tests/keystore2_client_authorizations_tests.rs b/keystore2/tests/keystore2_client_authorizations_tests.rs
index 2291a08..0fde7af 100644
--- a/keystore2/tests/keystore2_client_authorizations_tests.rs
+++ b/keystore2/tests/keystore2_client_authorizations_tests.rs
@@ -41,11 +41,14 @@
 };
 
 use crate::keystore2_client_test_utils::{
-    delete_app_key, perform_sample_asym_sign_verify_op, perform_sample_hmac_sign_verify_op,
-    perform_sample_sym_key_decrypt_op, perform_sample_sym_key_encrypt_op,
-    verify_certificate_serial_num, verify_certificate_subject_name, SAMPLE_PLAIN_TEXT,
+    app_attest_key_feature_exists, delete_app_key, perform_sample_asym_sign_verify_op,
+    perform_sample_hmac_sign_verify_op, perform_sample_sym_key_decrypt_op,
+    perform_sample_sym_key_encrypt_op, verify_certificate_serial_num,
+    verify_certificate_subject_name, SAMPLE_PLAIN_TEXT,
 };
 
+use crate::{skip_test_if_no_app_attest_key_feature, skip_tests_if_keymaster_impl_present};
+
 use keystore2_test_utils::ffi_test_utils::get_value_from_attest_record;
 
 fn gen_key_including_unique_id(
@@ -112,8 +115,9 @@
 
     let auth = key_generations::get_key_auth(&key_metadata.authorizations, Tag::USAGE_COUNT_LIMIT)
         .unwrap();
-    if check_attestation {
+    if check_attestation && key_generations::has_default_keymint() {
         // Check usage-count-limit is included in attest-record.
+        // `USAGE_COUNT_LIMIT` is supported from KeyMint1.0
         assert_ne!(
             gen_params.iter().filter(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE).count(),
             0,
@@ -443,6 +447,7 @@
 /// during creation of an operation using this key.
 #[test]
 fn keystore2_gen_key_auth_boot_loader_only_op_fail() {
+    skip_tests_if_keymaster_impl_present!();
     let keystore2 = get_keystore_service();
     let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
 
@@ -472,6 +477,7 @@
 /// during creation of an operation using this key.
 #[test]
 fn keystore2_gen_key_auth_early_boot_only_op_fail() {
+    skip_tests_if_keymaster_impl_present!();
     let keystore2 = get_keystore_service();
     let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
 
@@ -815,6 +821,7 @@
 /// generated attestation-key.
 #[test]
 fn keystore2_gen_attested_key_auth_app_id_app_data_test_success() {
+    skip_test_if_no_app_attest_key_feature!();
     let keystore2 = get_keystore_service();
     let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
 
@@ -869,6 +876,7 @@
 /// be provided to generateKey for an attestation key that was generated with them.
 #[test]
 fn keystore2_gen_attestation_key_with_auth_app_id_app_data_test_fail() {
+    skip_test_if_no_app_attest_key_feature!();
     let keystore2 = get_keystore_service();
     let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
 
@@ -973,6 +981,7 @@
 /// generate a key successfully and verify the specified key parameters.
 #[test]
 fn keystore2_gen_key_auth_serial_number_subject_test_success() {
+    skip_tests_if_keymaster_impl_present!();
     let keystore2 = get_keystore_service();
     let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
 
diff --git a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
index cf88fc5..4f881bc 100644
--- a/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
+++ b/keystore2/tests/keystore2_client_device_unique_attestation_tests.rs
@@ -27,6 +27,8 @@
     perform_sample_asym_sign_verify_op,
 };
 
+use crate::skip_tests_if_keymaster_impl_present;
+
 /// This macro is used for generating device unique attested EC key with device id attestation.
 macro_rules! test_ec_key_device_unique_attestation_id {
     ( $test_name:ident, $tag:expr, $prop_name:expr ) => {
@@ -158,6 +160,7 @@
 /// Test should fail to generate a key with error code `INVALID_ARGUMENT`
 #[test]
 fn keystore2_gen_key_device_unique_attest_with_default_sec_level_unimplemented() {
+    skip_tests_if_keymaster_impl_present!();
     let keystore2 = get_keystore_service();
     let sec_level = keystore2.getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT).unwrap();
 
@@ -324,32 +327,32 @@
 test_ec_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_ecdsa_attest_id_brand,
     Tag::ATTESTATION_ID_BRAND,
-    "ro.product.brand_for_attestation"
+    "brand"
 );
 test_ec_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_ecdsa_attest_id_device,
     Tag::ATTESTATION_ID_DEVICE,
-    "ro.product.device"
+    "device"
 );
 test_ec_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_ecdsa_attest_id_product,
     Tag::ATTESTATION_ID_PRODUCT,
-    "ro.product.name_for_attestation"
+    "name"
 );
 test_ec_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_ecdsa_attest_id_serial,
     Tag::ATTESTATION_ID_SERIAL,
-    "ro.serialno"
+    "serialno"
 );
 test_ec_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_ecdsa_attest_id_manufacturer,
     Tag::ATTESTATION_ID_MANUFACTURER,
-    "ro.product.manufacturer"
+    "manufacturer"
 );
 test_ec_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_ecdsa_attest_id_model,
     Tag::ATTESTATION_ID_MODEL,
-    "ro.product.model_for_attestation"
+    "model"
 );
 test_ec_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_ecdsa_attest_id_imei,
@@ -367,32 +370,32 @@
 test_rsa_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_rsa_attest_id_brand,
     Tag::ATTESTATION_ID_BRAND,
-    "ro.product.brand_for_attestation"
+    "brand"
 );
 test_rsa_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_rsa_attest_id_device,
     Tag::ATTESTATION_ID_DEVICE,
-    "ro.product.device"
+    "device"
 );
 test_rsa_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_rsa_attest_id_product,
     Tag::ATTESTATION_ID_PRODUCT,
-    "ro.product.name_for_attestation"
+    "name"
 );
 test_rsa_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_rsa_attest_id_serial,
     Tag::ATTESTATION_ID_SERIAL,
-    "ro.serialno"
+    "serialno"
 );
 test_rsa_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_rsa_attest_id_manufacturer,
     Tag::ATTESTATION_ID_MANUFACTURER,
-    "ro.product.manufacturer"
+    "manufacturer"
 );
 test_rsa_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_rsa_attest_id_model,
     Tag::ATTESTATION_ID_MODEL,
-    "ro.product.model_for_attestation"
+    "model"
 );
 test_rsa_key_device_unique_attestation_id!(
     keystore2_device_unique_attest_rsa_attest_id_imei,
diff --git a/keystore2/tests/keystore2_client_list_entries_tests.rs b/keystore2/tests/keystore2_client_list_entries_tests.rs
index 1c0c496..8b3f700 100644
--- a/keystore2/tests/keystore2_client_list_entries_tests.rs
+++ b/keystore2/tests/keystore2_client_list_entries_tests.rs
@@ -140,7 +140,7 @@
                 let key_descriptors = keystore2.listEntries(Domain::APP, -1).unwrap();
                 assert_eq!(1, key_descriptors.len());
 
-                let key = key_descriptors.get(0).unwrap();
+                let key = key_descriptors.first().unwrap();
                 assert_eq!(key.alias, Some(alias));
                 assert_eq!(key.nspace, GRANTEE_UID.try_into().unwrap());
                 assert_eq!(key.domain, Domain::APP);
diff --git a/keystore2/tests/keystore2_client_test_utils.rs b/keystore2/tests/keystore2_client_test_utils.rs
index 037482a..f270297 100644
--- a/keystore2/tests/keystore2_client_test_utils.rs
+++ b/keystore2/tests/keystore2_client_test_utils.rs
@@ -15,6 +15,7 @@
 use nix::unistd::{Gid, Uid};
 use serde::{Deserialize, Serialize};
 
+use std::path::PathBuf;
 use std::process::{Command, Output};
 
 use openssl::bn::BigNum;
@@ -88,6 +89,22 @@
     pm.hasSystemFeature(DEVICE_ID_ATTESTATION_FEATURE, 0).expect("hasSystemFeature failed.")
 }
 
+/// Determines whether to skip device id attestation tests on GSI build with API level < 34.
+pub fn skip_device_id_attest_tests() -> bool {
+    // b/298586194, there are some devices launched with Android T, and they will be receiving
+    // only system update and not vendor update, newly added attestation properties
+    // (ro.product.*_for_attestation) reading logic would not be available for such devices
+    // hence skipping this test for such scenario.
+    let api_level = std::str::from_utf8(&get_system_prop("ro.board.first_api_level"))
+        .unwrap()
+        .parse::<i32>()
+        .unwrap();
+    // This file is only present on GSI builds.
+    let path_buf = PathBuf::from("/system/system_ext/etc/init/init.gsi.rc");
+
+    api_level < 34 && path_buf.as_path().is_file()
+}
+
 #[macro_export]
 macro_rules! skip_test_if_no_app_attest_key_feature {
     () => {
@@ -106,6 +123,24 @@
     };
 }
 
+#[macro_export]
+macro_rules! skip_device_id_attestation_tests {
+    () => {
+        if skip_device_id_attest_tests() {
+            return;
+        }
+    };
+}
+
+#[macro_export]
+macro_rules! skip_tests_if_keymaster_impl_present {
+    () => {
+        if !key_generations::has_default_keymint() {
+            return;
+        }
+    };
+}
+
 /// Generate EC key and grant it to the list of users with given access vector.
 /// Returns the list of granted keys `nspace` values in the order of given grantee uids.
 pub fn generate_ec_key_and_grant_to_users(
diff --git a/keystore2/watchdog/src/lib.rs b/keystore2/watchdog/src/lib.rs
index 01043c5..fa4620a 100644
--- a/keystore2/watchdog/src/lib.rs
+++ b/keystore2/watchdog/src/lib.rs
@@ -335,7 +335,7 @@
         android_logger::init_once(
             android_logger::Config::default()
                 .with_tag("keystore2_watchdog_tests")
-                .with_min_level(log::Level::Debug),
+                .with_max_level(log::LevelFilter::Debug),
         );
 
         let wd = Watchdog::new(Watchdog::NOISY_REPORT_TIMEOUT.checked_mul(3).unwrap());
diff --git a/ondevice-signing/Android.bp b/ondevice-signing/Android.bp
index f56cfab..6901b17 100644
--- a/ondevice-signing/Android.bp
+++ b/ondevice-signing/Android.bp
@@ -142,6 +142,8 @@
     "libfsverity",
     "liblogwrap",
     "libprotobuf-cpp-lite",
+    "libstatspull",
+    "libstatssocket",
     "libutils",
   ],
 }