From 7409f7c8ddbde048faf4bdea600d8186fc4a5c00 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Mon, 20 Jun 2022 00:03:32 -0700 Subject: Do not use RKP for DEVICE_UNIQUE_ATTESTATION. Keystore2 previously did not process the DEVICE_UNIQUE_ATTESTATION tag. This was an unnecessary step when there was no ability to select the attestation key provided to the backing Keymaster instance. Now, however, Keystore2 does need to process generateKey requests for this tag. This is because it will pass in an RKP key by default and append those certificates to the result if RKP is present. This change alters Keystore2 behavior during attestation key selection. If the DEVICE_UNIQUE_ATTESTATION tag is present, it will no longer attempt to select an RKP key and will instead pass nothing in the attestKey argument for KM. Bug: 234413909 Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement Ignore-AOSP-First: Cherry-pick from AOSP Change-Id: Ib81fb65570a4e9eb7e7b051f9791071ee78dc02f Merged-In: Ib81fb65570a4e9eb7e7b051f9791071ee78dc02f --- keystore2/src/attestation_key_utils.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/keystore2/src/attestation_key_utils.rs b/keystore2/src/attestation_key_utils.rs index 8354ba5c..34089425 100644 --- a/keystore2/src/attestation_key_utils.rs +++ b/keystore2/src/attestation_key_utils.rs @@ -59,8 +59,11 @@ pub fn get_attest_key_info( db: &mut KeystoreDB, ) -> Result> { let challenge_present = params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE); + let is_device_unique_attestation = + params.iter().any(|kp| kp.tag == Tag::DEVICE_UNIQUE_ATTESTATION); match attest_key_descriptor { - None if challenge_present => rem_prov_state + // Do not select an RKP key if DEVICE_UNIQUE_ATTESTATION is present. + None if challenge_present && !is_device_unique_attestation => rem_prov_state .get_remotely_provisioned_attestation_key_and_certs(key, caller_uid, params, db) .context(concat!( "In get_attest_key_and_cert_chain: ", -- cgit v1.2.3