Do not use RKP for DEVICE_UNIQUE_ATTESTATION.android13-dev

Keystore2 previously did not process the DEVICE_UNIQUE_ATTESTATION tag.
This was an unnecessary step when there was no ability to select the
attestation key provided to the backing Keymaster instance. Now,
however, Keystore2 does need to process generateKey requests for this
tag. This is because it will pass in an RKP key by default and append
those certificates to the result if RKP is present.

This change alters Keystore2 behavior during attestation key selection.
If the DEVICE_UNIQUE_ATTESTATION tag is present, it will no longer
attempt to select an RKP key and will instead pass nothing in the
attestKey argument for KM.

Bug: 234413909
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Ignore-AOSP-First: Cherry-pick from AOSP
Change-Id: Ib81fb65570a4e9eb7e7b051f9791071ee78dc02f
Merged-In: Ib81fb65570a4e9eb7e7b051f9791071ee78dc02f

1 files changed, 4 insertions, 1 deletions

diff --git a/keystore2/src/attestation_key_utils.rs b/keystore2/src/attestation_key_utils.rs
index 8354ba5c..34089425 100644
--- a/keystore2/src/attestation_key_utils.rs
+++ b/keystore2/src/attestation_key_utils.rs
@@ -59,8 +59,11 @@ pub fn get_attest_key_info(
     db: &mut KeystoreDB,
 ) -> Result<Option<AttestationKeyInfo>> {
     let challenge_present = params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE);
+    let is_device_unique_attestation =
+        params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION);
     match attest_key_descriptor {
-        None if challenge_present => rem_prov_state
+        // Do not select an RKP key if DEVICE_UNIQUE_ATTESTATION is present.
+        None if challenge_present && !is_device_unique_attestation => rem_prov_state
             .get_remotely_provisioned_attestation_key_and_certs(key, caller_uid, params, db)
             .context(concat!(
                 "In get_attest_key_and_cert_chain: ",