From 9caca7e7f071cf86233bd565c3932eb1f50eb8b2 Mon Sep 17 00:00:00 2001
From: Catherine Vlasov <cvlasov@google.com>
Date: Mon, 18 Nov 2024 09:43:17 +0000
Subject: [PATCH] Specify the expected contents of "verifiedBootKey".

Bug: 220834466
Test: n/a, comment update
Change-Id: Idedbc41a6277dc89ed74c61ff26753ceae67606b
---
 .../android/hardware/security/keymint/KeyCreationResult.aidl   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
index eb9d83de25..2d2f307ec9 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
@@ -153,6 +153,9 @@ parcelable KeyCreationResult {
      * }
      *
      * RootOfTrust ::= SEQUENCE {
+     *     -- verifiedBootKey must contain a SHA-256 digest of the public key embedded in the
+     *     -- "vbmeta" partition if the device's bootloader is locked, or 32 bytes of zeroes if the
+     *     -- device's bootloader is unlocked.
      *     verifiedBootKey            OCTET_STRING,
      *     deviceLocked               BOOLEAN,
      *     verifiedBootState          VerifiedBootState,