Fix KeyAttestation Cts test failure in unlocked devices
This CL sets the verified boot key in attestation parameters to all
zeros of 32 bytes when the boot loader passes an empty
verified boot key.
Bug: 192634248
Test: atest android.keystore.cts.KeyAttestationTest#testEcAttestation
atest android.keystore.cts.KeyAttestationTest#testRsaAttestation
Change-Id: I9ddbdc55e4e2b842885de278f165a6347926e8a6
diff --git a/trusty_keymaster_context.cpp b/trusty_keymaster_context.cpp
index e9876bb..24397d6 100644
--- a/trusty_keymaster_context.cpp
+++ b/trusty_keymaster_context.cpp
@@ -42,6 +42,7 @@
#include "trusty_aes_key.h"
constexpr bool kUseSecureDeletion = true;
+constexpr uint8_t kAllZerosVerifiedBootKey[32] = {};
#ifdef KEYMASTER_DEBUG
#pragma message \
@@ -842,8 +843,18 @@
VerifiedBootParams& vb_parms =
const_cast<VerifiedBootParams&>(verified_boot_params_);
- vb_parms.verified_boot_key = {boot_params_.verified_boot_key.begin(),
- boot_params_.verified_boot_key.buffer_size()};
+ if (boot_params_.verified_boot_key.buffer_size()) {
+ vb_parms.verified_boot_key = {
+ boot_params_.verified_boot_key.begin(),
+ boot_params_.verified_boot_key.buffer_size()};
+ } else {
+ // If an empty verified boot key was passed by the boot loader, set the
+ // verfified boot key in attestation parameters to 32 bytes of all
+ // zeros.
+ vb_parms.verified_boot_key = {kAllZerosVerifiedBootKey,
+ sizeof(kAllZerosVerifiedBootKey)};
+ }
+
vb_parms.verified_boot_hash = {
boot_params_.verified_boot_hash.begin(),
boot_params_.verified_boot_hash.buffer_size()};
