diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index 476eed8b19..93fb19d23d 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -940,7 +940,11 @@ TEST_P(NewKeyGenerationTest, HmacDigestNone) {
  * UNSUPPORTED_KEY_SIZE.
  */
 TEST_P(NewKeyGenerationTest, AesInvalidKeySize) {
+    int32_t firstApiLevel = property_get_int32("ro.board.first_api_level", 0);
     for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
+        if (key_size == 192 && SecLevel() == SecurityLevel::STRONGBOX && firstApiLevel < 31) {
+            continue;
+        }
         ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
                   GenerateKey(AuthorizationSetBuilder()
                                       .Authorization(TAG_NO_AUTH_REQUIRED)
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index 2241735928..4e81e71826 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -96,7 +96,8 @@ import android.hardware.security.secureclock.TimeStampToken;
  *
  * o   AES
  *
- *      - 128 and 256-bit keys
+ *      - TRUSTED_ENVIRONMENT IKeyMintDevices must support 128, 192 and 256-bit keys.
+ *        STRONGBOX IKeyMintDevices must only support 128 and 256-bit keys.
  *      - CBC, CTR, ECB and GCM modes.  The GCM mode must not allow the use of tags smaller than 96
  *        bits or nonce lengths other than 96 bits.
  *      - CBC and ECB modes must support unpadded and PKCS7 padding modes.  With no padding CBC and