Merge "AesInvalidKeySize skip 192 on SB devices" into sc-dev

2026-02-01 11:36:00 +00:00 · 2021-08-20 16:15:29 +00:00
parent ca76a75096 5b7f78d43b
commit f0394173a4
2 changed files with 6 additions and 1 deletions
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -940,7 +940,11 @@ TEST_P(NewKeyGenerationTest, HmacDigestNone) {
 * UNSUPPORTED_KEY_SIZE.
 */
 TEST_P(NewKeyGenerationTest, AesInvalidKeySize) {
+    int32_t firstApiLevel = property_get_int32("ro.board.first_api_level", 0);
    for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
+        if (key_size == 192 && SecLevel() == SecurityLevel::STRONGBOX && firstApiLevel < 31) {
+            continue;
+        }
        ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
                  GenerateKey(AuthorizationSetBuilder()
                                      .Authorization(TAG_NO_AUTH_REQUIRED)
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -96,7 +96,8 @@ import android.hardware.security.secureclock.TimeStampToken;
 *
 * o   AES
 *
- *      - 128 and 256-bit keys
+ *      - TRUSTED_ENVIRONMENT IKeyMintDevices must support 128, 192 and 256-bit keys.
+ *        STRONGBOX IKeyMintDevices must only support 128 and 256-bit keys.
 *      - CBC, CTR, ECB and GCM modes.  The GCM mode must not allow the use of tags smaller than 96
 *        bits or nonce lengths other than 96 bits.
 *      - CBC and ECB modes must support unpadded and PKCS7 padding modes.  With no padding CBC and