Merge "Updated the vts attestation tests for strongbox implementations which do not support factory attestation." am: 950b7b8026 am: cc399cf7b0 am: af1490f3f7

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2027803 Change-Id: I07f19f0c03955d3931842688d8a2ee31dbf174cf
2022-03-24 17:59:41 +00:00 · 2022-03-24 17:59:41 +00:00 · d31d3b8554
commit d31d3b8554
parent 0a6851cc20 af1490f3f7
4 changed files with 246 additions and 102 deletions
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
@ -61,13 +61,15 @@ parcelable KeyCreationResult {
     * the non-attestation case, whether the key can self-sign.
     *
     * 1.  Asymmetric key attestation with factory key.  If Tag::ATTESTATION_CHALLENGE is provided
-     *     and the `attestationKey` parameter on the generate/import call is null, the returned
+     *     and the `attestationKey` parameter on the generate/import call is null, and if the
+     *     KeyMint implementation supports factory-provisioned attestation keys, the returned
     *     certificate chain must contain an attestation certificate signed with a factory-
     *     provisioned attestation key, and the full certificate chain for that factory-provisioned
     *     attestation key.  Tag::ATTESTATION_APPLICATION_ID must also be provided when the
     *     ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be
     *     returned.  KeyMint implementations are not required to support factory-provisioned
-     *     attestation keys.
+     *     attestation keys. If the KeyMint implementation does not support factory-provisioned
+     *     keys, it must return ATTESTATION_KEYS_NOT_PROVISIONED.
     *
     * 2.  Asymmetric key attestation with caller-provided key.  If Tag::ATTESTATION_CHALLENGE is
     *     provided and the `attestationKey` parameter on the generate/import call is non-null and
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@ -312,6 +312,30 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
    return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
 }

+ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
+        const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
+        vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
+        vector<Certificate>* cert_chain) {
+    AttestationKey attest_key;
+    vector<Certificate> attest_cert_chain;
+    vector<KeyCharacteristics> attest_key_characteristics;
+    // Generate a key with self signed attestation.
+    auto error = GenerateKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
+                             &attest_key_characteristics, &attest_cert_chain);
+    if (error != ErrorCode::OK) {
+        return error;
+    }
+
+    attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
+    // Generate a key, by passing the above self signed attestation key as attest key.
+    error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
+    if (error == ErrorCode::OK) {
+        // Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
+        cert_chain->push_back(attest_cert_chain[0]);
+    }
+    return error;
+}
+
 ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
                                         const string& key_material, vector<uint8_t>* key_blob,
                                         vector<KeyCharacteristics>* key_characteristics) {
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
@ -96,6 +96,21 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
    ErrorCode GenerateKey(const AuthorizationSet& key_desc,
                          const optional<AttestationKey>& attest_key = std::nullopt);

+    // Generate key for implementations which do not support factory attestation.
+    ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
+                                                 const AuthorizationSet& key_desc,
+                                                 vector<uint8_t>* key_blob,
+                                                 vector<KeyCharacteristics>* key_characteristics,
+                                                 vector<Certificate>* cert_chain);
+
+    ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
+                                                 const AuthorizationSet& key_desc,
+                                                 vector<uint8_t>* key_blob,
+                                                 vector<KeyCharacteristics>* key_characteristics) {
+        return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
+                                                  key_characteristics, &cert_chain_);
+    }
+
    ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
                        const string& key_material, vector<uint8_t>* key_blob,
                        vector<KeyCharacteristics>* key_characteristics);
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@ -1067,22 +1067,30 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
    for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
        vector<uint8_t> key_blob;
        vector<KeyCharacteristics> key_characteristics;
-        auto result = GenerateKey(AuthorizationSetBuilder()
-                                          .RsaSigningKey(key_size, 65537)
-                                          .Digest(Digest::NONE)
-                                          .Padding(PaddingMode::NONE)
-                                          .AttestationChallenge(challenge)
-                                          .AttestationApplicationId(app_id)
-                                          .Authorization(TAG_NO_AUTH_REQUIRED)
-                                          .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
-                                          .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
-                                          .SetDefaultValidity(),
-                                  &key_blob, &key_characteristics);
+        auto builder = AuthorizationSetBuilder()
+                               .RsaSigningKey(key_size, 65537)
+                               .Digest(Digest::NONE)
+                               .Padding(PaddingMode::NONE)
+                               .AttestationChallenge(challenge)
+                               .AttestationApplicationId(app_id)
+                               .Authorization(TAG_NO_AUTH_REQUIRED)
+                               .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+                               .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+                               .SetDefaultValidity();
+
+        auto result = GenerateKey(builder, &key_blob, &key_characteristics);
        // Strongbox may not support factory provisioned attestation key.
        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+                result = GenerateKeyWithSelfSignedAttestKey(
+                        AuthorizationSetBuilder()
+                                .RsaKey(key_size, 65537)
+                                .AttestKey()
+                                .SetDefaultValidity(), /* attest key params */
+                        builder, &key_blob, &key_characteristics);
+            }
        }
-
+        ASSERT_EQ(ErrorCode::OK, result);
        ASSERT_GT(key_blob.size(), 0U);
        CheckBaseParams(key_characteristics);
        CheckCharacteristics(key_blob, key_characteristics);
@ -1203,19 +1211,27 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {

    vector<uint8_t> key_blob;
    vector<KeyCharacteristics> key_characteristics;
-    auto result = GenerateKey(AuthorizationSetBuilder()
-                                      .RsaEncryptionKey(key_size, 65537)
-                                      .Padding(PaddingMode::NONE)
-                                      .AttestationChallenge(challenge)
-                                      .AttestationApplicationId(app_id)
-                                      .Authorization(TAG_NO_AUTH_REQUIRED)
-                                      .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
-                                      .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
-                                      .SetDefaultValidity(),
-                              &key_blob, &key_characteristics);
+    auto builder = AuthorizationSetBuilder()
+                           .RsaEncryptionKey(key_size, 65537)
+                           .Padding(PaddingMode::NONE)
+                           .AttestationChallenge(challenge)
+                           .AttestationApplicationId(app_id)
+                           .Authorization(TAG_NO_AUTH_REQUIRED)
+                           .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+                           .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+                           .SetDefaultValidity();
+
+    auto result = GenerateKey(builder, &key_blob, &key_characteristics);
    // Strongbox may not support factory provisioned attestation key.
    if (SecLevel() == SecurityLevel::STRONGBOX) {
-        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+            result = GenerateKeyWithSelfSignedAttestKey(
+                    AuthorizationSetBuilder()
+                            .RsaKey(key_size, 65537)
+                            .AttestKey()
+                            .SetDefaultValidity(), /* attest key params */
+                    builder, &key_blob, &key_characteristics);
+        }
    }
    ASSERT_EQ(ErrorCode::OK, result);

@ -1319,17 +1335,25 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
    vector<uint8_t> key_blob;
    vector<KeyCharacteristics> key_characteristics;

-    auto result = GenerateKey(AuthorizationSetBuilder()
-                                      .RsaSigningKey(2048, 65537)
-                                      .Digest(Digest::NONE)
-                                      .Padding(PaddingMode::NONE)
-                                      .AttestationChallenge(challenge)
-                                      .Authorization(TAG_NO_AUTH_REQUIRED)
-                                      .SetDefaultValidity(),
-                              &key_blob, &key_characteristics);
+    auto builder = AuthorizationSetBuilder()
+                           .RsaSigningKey(2048, 65537)
+                           .Digest(Digest::NONE)
+                           .Padding(PaddingMode::NONE)
+                           .AttestationChallenge(challenge)
+                           .Authorization(TAG_NO_AUTH_REQUIRED)
+                           .SetDefaultValidity();
+
+    auto result = GenerateKey(builder, &key_blob, &key_characteristics);
    // Strongbox may not support factory provisioned attestation key.
    if (SecLevel() == SecurityLevel::STRONGBOX) {
-        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+            result = GenerateKeyWithSelfSignedAttestKey(
+                    AuthorizationSetBuilder()
+                            .RsaKey(2048, 65537)
+                            .AttestKey()
+                            .SetDefaultValidity(), /* attest key params */
+                    builder, &key_blob, &key_characteristics);
+        }
    }
    ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
 }
@ -1441,21 +1465,29 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
    for (auto key_size : ValidKeySizes(Algorithm::RSA)) {
        vector<uint8_t> key_blob;
        vector<KeyCharacteristics> key_characteristics;
-        auto result = GenerateKey(AuthorizationSetBuilder()
-                                          .RsaSigningKey(key_size, 65537)
-                                          .Digest(Digest::NONE)
-                                          .Padding(PaddingMode::NONE)
-                                          .AttestationChallenge(challenge)
-                                          .AttestationApplicationId(app_id)
-                                          .Authorization(TAG_NO_AUTH_REQUIRED)
-                                          .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
-                                          .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
-                                          .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
-                                          .SetDefaultValidity(),
-                                  &key_blob, &key_characteristics);
+        auto builder = AuthorizationSetBuilder()
+                               .RsaSigningKey(key_size, 65537)
+                               .Digest(Digest::NONE)
+                               .Padding(PaddingMode::NONE)
+                               .AttestationChallenge(challenge)
+                               .AttestationApplicationId(app_id)
+                               .Authorization(TAG_NO_AUTH_REQUIRED)
+                               .Authorization(TAG_USAGE_COUNT_LIMIT, 1)
+                               .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+                               .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+                               .SetDefaultValidity();
+
+        auto result = GenerateKey(builder, &key_blob, &key_characteristics);
        // Strongbox may not support factory provisioned attestation key.
        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+                result = GenerateKeyWithSelfSignedAttestKey(
+                        AuthorizationSetBuilder()
+                                .RsaKey(key_size, 65537)
+                                .AttestKey()
+                                .SetDefaultValidity(), /* attest key params */
+                        builder, &key_blob, &key_characteristics);
+            }
        }
        ASSERT_EQ(ErrorCode::OK, result);

@ -1676,19 +1708,27 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
    for (auto curve : ValidCurves()) {
        vector<uint8_t> key_blob;
        vector<KeyCharacteristics> key_characteristics;
-        auto result = GenerateKey(AuthorizationSetBuilder()
-                                          .Authorization(TAG_NO_AUTH_REQUIRED)
-                                          .EcdsaSigningKey(curve)
-                                          .Digest(Digest::NONE)
-                                          .AttestationChallenge(challenge)
-                                          .AttestationApplicationId(app_id)
-                                          .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
-                                          .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
-                                          .SetDefaultValidity(),
-                                  &key_blob, &key_characteristics);
+        auto builder = AuthorizationSetBuilder()
+                               .Authorization(TAG_NO_AUTH_REQUIRED)
+                               .EcdsaSigningKey(curve)
+                               .Digest(Digest::NONE)
+                               .AttestationChallenge(challenge)
+                               .AttestationApplicationId(app_id)
+                               .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+                               .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+                               .SetDefaultValidity();
+
+        auto result = GenerateKey(builder, &key_blob, &key_characteristics);
        // Strongbox may not support factory provisioned attestation key.
        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+                result = GenerateKeyWithSelfSignedAttestKey(
+                        AuthorizationSetBuilder()
+                                .EcdsaKey(curve)
+                                .AttestKey()
+                                .SetDefaultValidity(), /* attest key params */
+                        builder, &key_blob, &key_characteristics);
+            }
        }
        ASSERT_EQ(ErrorCode::OK, result);
        ASSERT_GT(key_blob.size(), 0U);
@ -1826,7 +1866,14 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
        }
        // Strongbox may not support factory provisioned attestation key.
        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+                result = GenerateKeyWithSelfSignedAttestKey(
+                        AuthorizationSetBuilder()
+                                .EcdsaKey(EcCurve::P_256)
+                                .AttestKey()
+                                .SetDefaultValidity(), /* attest key params */
+                        builder, &key_blob, &key_characteristics);
+            }
        }
        ASSERT_EQ(result, ErrorCode::OK);
        ASSERT_GT(key_blob.size(), 0U);
@ -1878,8 +1925,20 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
                        .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
                        .SetDefaultValidity();
        builder.push_back(tag);
-        ASSERT_EQ(ErrorCode::CANNOT_ATTEST_IDS,
-                  GenerateKey(builder, &key_blob, &key_characteristics));
+
+        auto error = GenerateKey(builder, &key_blob, &key_characteristics);
+        // Strongbox may not support factory provisioned attestation key.
+        if (SecLevel() == SecurityLevel::STRONGBOX) {
+            if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+                error = GenerateKeyWithSelfSignedAttestKey(
+                        AuthorizationSetBuilder()
+                                .EcdsaKey(EcCurve::P_256)
+                                .AttestKey()
+                                .SetDefaultValidity(), /* attest key params */
+                        builder, &key_blob, &key_characteristics);
+            }
+        }
+        ASSERT_EQ(error, ErrorCode::CANNOT_ATTEST_IDS);
    }
 }

@ -1984,8 +2043,18 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
        if (reset) {
            builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
        }
-
-        ASSERT_EQ(ErrorCode::OK, GenerateKey(builder));
+        auto result = GenerateKey(builder);
+        if (SecLevel() == SecurityLevel::STRONGBOX) {
+            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+                result = GenerateKeyWithSelfSignedAttestKey(
+                        AuthorizationSetBuilder()
+                                .EcdsaKey(EcCurve::P_256)
+                                .AttestKey()
+                                .SetDefaultValidity(), /* attest key params */
+                        builder, &key_blob_, &key_characteristics_, &cert_chain_);
+            }
+        }
+        ASSERT_EQ(ErrorCode::OK, result);
        ASSERT_GT(key_blob_.size(), 0U);

        EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_));
@ -2072,21 +2141,29 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
    // to confirm that this field never makes it into the attestation extension.
    vector<uint8_t> key_blob;
    vector<KeyCharacteristics> key_characteristics;
-    auto result = GenerateKey(AuthorizationSetBuilder()
-                                      .Authorization(TAG_NO_AUTH_REQUIRED)
-                                      .EcdsaSigningKey(EcCurve::P_256)
-                                      .Digest(Digest::NONE)
-                                      .AttestationChallenge(challenge)
-                                      .AttestationApplicationId(attest_app_id)
-                                      .Authorization(TAG_APPLICATION_ID, "client_id")
-                                      .Authorization(TAG_APPLICATION_DATA, "appdata")
-                                      .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
-                                      .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
-                                      .SetDefaultValidity(),
-                              &key_blob, &key_characteristics);
+    auto builder = AuthorizationSetBuilder()
+                           .Authorization(TAG_NO_AUTH_REQUIRED)
+                           .EcdsaSigningKey(EcCurve::P_256)
+                           .Digest(Digest::NONE)
+                           .AttestationChallenge(challenge)
+                           .AttestationApplicationId(attest_app_id)
+                           .Authorization(TAG_APPLICATION_ID, "client_id")
+                           .Authorization(TAG_APPLICATION_DATA, "appdata")
+                           .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
+                           .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
+                           .SetDefaultValidity();
+
+    auto result = GenerateKey(builder, &key_blob, &key_characteristics);
    // Strongbox may not support factory provisioned attestation key.
    if (SecLevel() == SecurityLevel::STRONGBOX) {
-        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+            result = GenerateKeyWithSelfSignedAttestKey(
+                    AuthorizationSetBuilder()
+                            .EcdsaKey(EcCurve::P_256)
+                            .AttestKey()
+                            .SetDefaultValidity(), /* attest key params */
+                    builder, &key_blob, &key_characteristics);
+        }
    }
    ASSERT_EQ(result, ErrorCode::OK);
    ASSERT_GT(key_blob.size(), 0U);
@ -2166,16 +2243,23 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
    auto challenge = "hello";
    vector<uint8_t> key_blob;
    vector<KeyCharacteristics> key_characteristics;
+    auto builder = AuthorizationSetBuilder()
+                           .EcdsaSigningKey(EcCurve::P_256)
+                           .Digest(Digest::NONE)
+                           .AttestationChallenge(challenge)
+                           .SetDefaultValidity();

-    auto result = GenerateKey(AuthorizationSetBuilder()
-                                      .EcdsaSigningKey(EcCurve::P_256)
-                                      .Digest(Digest::NONE)
-                                      .AttestationChallenge(challenge)
-                                      .SetDefaultValidity(),
-                              &key_blob, &key_characteristics);
+    auto result = GenerateKey(builder, &key_blob, &key_characteristics);
    // Strongbox may not support factory provisioned attestation key.
    if (SecLevel() == SecurityLevel::STRONGBOX) {
-        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+        if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+            result = GenerateKeyWithSelfSignedAttestKey(
+                    AuthorizationSetBuilder()
+                            .EcdsaKey(EcCurve::P_256)
+                            .AttestKey()
+                            .SetDefaultValidity(), /* attest key params */
+                    builder, &key_blob, &key_characteristics);
+        }
    }
    ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
 }
@ -2234,17 +2318,25 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
        const string app_id(length, 'a');
        vector<uint8_t> key_blob;
        vector<KeyCharacteristics> key_characteristics;
-        auto result = GenerateKey(AuthorizationSetBuilder()
-                                          .Authorization(TAG_NO_AUTH_REQUIRED)
-                                          .EcdsaSigningKey(EcCurve::P_256)
-                                          .Digest(Digest::NONE)
-                                          .AttestationChallenge(challenge)
-                                          .AttestationApplicationId(app_id)
-                                          .SetDefaultValidity(),
-                                  &key_blob, &key_characteristics);
+        auto builder = AuthorizationSetBuilder()
+                               .Authorization(TAG_NO_AUTH_REQUIRED)
+                               .EcdsaSigningKey(EcCurve::P_256)
+                               .Digest(Digest::NONE)
+                               .AttestationChallenge(challenge)
+                               .AttestationApplicationId(app_id)
+                               .SetDefaultValidity();
+
+        auto result = GenerateKey(builder, &key_blob, &key_characteristics);
        // Strongbox may not support factory provisioned attestation key.
        if (SecLevel() == SecurityLevel::STRONGBOX) {
-            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
+            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+                result = GenerateKeyWithSelfSignedAttestKey(
+                        AuthorizationSetBuilder()
+                                .EcdsaKey(EcCurve::P_256)
+                                .AttestKey()
+                                .SetDefaultValidity(), /* attest key params */
+                        builder, &key_blob, &key_characteristics);
+            }
        }
        ASSERT_EQ(ErrorCode::OK, result);
        ASSERT_GT(key_blob.size(), 0U);
@ -7427,15 +7519,26 @@ class KeyAgreementTest : public KeyMintAidlTestBase {

    void GenerateKeyMintEcKey(EcCurve curve, EVP_PKEY_Ptr* kmPubKey) {
        vector<uint8_t> challenge = {0x41, 0x42};
-        ErrorCode result =
-                GenerateKey(AuthorizationSetBuilder()
-                                    .Authorization(TAG_NO_AUTH_REQUIRED)
-                                    .Authorization(TAG_EC_CURVE, curve)
-                                    .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
-                                    .Authorization(TAG_ALGORITHM, Algorithm::EC)
-                                    .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
-                                    .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
-                                    .SetDefaultValidity());
+        auto builder = AuthorizationSetBuilder()
+                               .Authorization(TAG_NO_AUTH_REQUIRED)
+                               .Authorization(TAG_EC_CURVE, curve)
+                               .Authorization(TAG_PURPOSE, KeyPurpose::AGREE_KEY)
+                               .Authorization(TAG_ALGORITHM, Algorithm::EC)
+                               .Authorization(TAG_ATTESTATION_APPLICATION_ID, {0x61, 0x62})
+                               .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
+                               .SetDefaultValidity();
+        ErrorCode result = GenerateKey(builder);
+
+        if (SecLevel() == SecurityLevel::STRONGBOX) {
+            if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
+                result = GenerateKeyWithSelfSignedAttestKey(
+                        AuthorizationSetBuilder()
+                                .EcdsaKey(EcCurve::P_256)
+                                .AttestKey()
+                                .SetDefaultValidity(), /* attest key params */
+                        builder, &key_blob_, &key_characteristics_, &cert_chain_);
+            }
+        }
        ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
        ASSERT_GT(cert_chain_.size(), 0);
        X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));