AesInvalidKeySize skip 192 on SB devices
This change clarifies the language to specify that StrongBox devices
must only support key sizes of 128 and 256. Additionally, it changes the
new AesInvalidKeySize test to only enforce against StrongBox instances
on devices that launch on S or later, not previously launched devices.
Ignore-AOSP-First: CP to AOSP
Bug: 191736606
Test: Test passes on a StrongBox enabled device
Change-Id: Ic0ff19d2d19d6e18dfbc0fad4b8182264f36b2f6
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index 01c502c..ae5f2fe 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -940,7 +940,11 @@
* UNSUPPORTED_KEY_SIZE.
*/
TEST_P(NewKeyGenerationTest, AesInvalidKeySize) {
+ int32_t firstApiLevel = property_get_int32("ro.board.first_api_level", 0);
for (auto key_size : InvalidKeySizes(Algorithm::AES)) {
+ if (key_size == 192 && SecLevel() == SecurityLevel::STRONGBOX && firstApiLevel < 31) {
+ continue;
+ }
ASSERT_EQ(ErrorCode::UNSUPPORTED_KEY_SIZE,
GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index 2241735..4e81e71 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -96,7 +96,8 @@
*
* o AES
*
- * - 128 and 256-bit keys
+ * - TRUSTED_ENVIRONMENT IKeyMintDevices must support 128, 192 and 256-bit keys.
+ * STRONGBOX IKeyMintDevices must only support 128 and 256-bit keys.
* - CBC, CTR, ECB and GCM modes. The GCM mode must not allow the use of tags smaller than 96
* bits or nonce lengths other than 96 bits.
* - CBC and ECB modes must support unpadded and PKCS7 padding modes. With no padding CBC and
