Disable use of StrongBox for encryption
Until VerificationTokens are wired up, StrongBox can't work. Also,
this will reduce complications for early StrongBox testing.
Bug: 77338527
Test: Boot the device
Change-Id: I44a1577c388703aeecb2886e7db52084c17e2afd
diff --git a/Keymaster.cpp b/Keymaster.cpp
index 7d061bb..7df27ec 100644
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@@ -25,6 +25,7 @@
using ::android::hardware::hidl_string;
using ::android::hardware::hidl_vec;
+using ::android::hardware::keymaster::V4_0::SecurityLevel;
KeymasterOperation::~KeymasterOperation() {
if (mDevice) mDevice->abort(mOpHandle);
@@ -97,8 +98,15 @@
Keymaster::Keymaster() {
auto devices = KmDevice::enumerateAvailableDevices();
- if (devices.empty()) return;
- mDevice = std::move(devices[0]);
+ for (auto& dev : devices) {
+ // Explicitly avoid using STRONGBOX for now.
+ // TODO: Re-enable STRONGBOX, since it's what we really want. b/77338527
+ if (dev->halVersion().securityLevel != SecurityLevel::STRONGBOX) {
+ mDevice = std::move(dev);
+ break;
+ }
+ }
+ if (!mDevice) return;
auto& version = mDevice->halVersion();
LOG(INFO) << "Using " << version.keymasterName << " from " << version.authorName
<< " for encryption. Security level: " << toString(version.securityLevel)