Merge "AesInvalidKeySize skip 192 on SB devices" into sc-dev am: f0394173a4

Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/interfaces/+/15596426

Change-Id: Ic062d555736fef27f8ede837e109b50ac9f86efe

keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp

@@ -940,7 +940,11 @@ TEST_P(NewKeyGenerationTest, HmacDigestNone) {
  * UNSUPPORTED_KEY_SIZE.
  */
 TEST_P(NewKeyGenerationTest, AesInvalidKeySize) {
+    int32_t firstApiLevel = property_get_int32("ro.board.first_api_level", 0);
     for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
+        if (key_size == 192 && SecLevel() == SecurityLevel::STRONGBOX && firstApiLevel < 31) {
+            continue;
+        }
         ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
                   GenerateKey(AuthorizationSetBuilder()
                                       .Authorization(TAG_NO_AUTH_REQUIRED)

security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl

@@ -96,7 +96,8 @@ import android.hardware.security.secureclock.TimeStampToken;
  *
  * o   AES
  *
- *      - 128 and 256-bit keys
+ *      - TRUSTED_ENVIRONMENT IKeyMintDevices must support 128, 192 and 256-bit keys.
+ *        STRONGBOX IKeyMintDevices must only support 128 and 256-bit keys.
  *      - CBC, CTR, ECB and GCM modes.  The GCM mode must not allow the use of tags smaller than 96
  *        bits or nonce lengths other than 96 bits.
  *      - CBC and ECB modes must support unpadded and PKCS7 padding modes.  With no padding CBC and