Do not use RKP for DEVICE_UNIQUE_ATTESTATION.
Keystore2 previously did not process the DEVICE_UNIQUE_ATTESTATION tag.
This was an unnecessary step when there was no ability to select the
attestation key provided to the backing Keymaster instance. Now,
however, Keystore2 does need to process generateKey requests for this
tag. This is because it will pass in an RKP key by default and append
those certificates to the result if RKP is present.
This change alters Keystore2 behavior during attestation key selection.
If the DEVICE_UNIQUE_ATTESTATION tag is present, it will no longer
attempt to select an RKP key and will instead pass nothing in the
attestKey argument for KM.
Bug: 234413909
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Ignore-AOSP-First: Cherry-pick from AOSP
Change-Id: Ib81fb65570a4e9eb7e7b051f9791071ee78dc02f
Merged-In: Ib81fb65570a4e9eb7e7b051f9791071ee78dc02f
1 file changed
