From e5364d7617ffb1c787aa5ddb185727115ebbd88c Mon Sep 17 00:00:00 2001
From: Shawn Willden <swillden@google.com>
Date: Thu, 16 Jun 2022 12:50:40 -0600
Subject: [PATCH] Read VSR level from correct property.

Bug: 235424890
Test: VtsHalKeymasterV4_0TargetTest & VtsAidlKeyMintTargetTest
Ignore-AOSP-First: Cherry-pick of aosp/2128833
Change-Id: I39109c097d129124097a303c3f108d015cb367e3
Merged-In: I39109c097d129124097a303c3f108d015cb367e3
---
 .../functional/keymaster_hidl_hal_test.cpp    | 33 ++++++++++---------
 .../vts/functional/KeyMintAidlTestBase.cpp    | 33 ++++++++++---------
 2 files changed, 36 insertions(+), 30 deletions(-)

diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index bdaaf96dc4..fb5048a2f3 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -388,25 +388,28 @@ bool avb_verification_enabled() {
 }
 
 int get_vsr_api_level() {
-    int api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
-    if (api_level == -1) {
-        api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
+    int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
+    if (vendor_api_level != -1) {
+        return vendor_api_level;
     }
-    if (api_level == -1) {
-        api_level = ::android::base::GetIntProperty("ro.vndk.version", -1);
+
+    // Android S and older devices do not define ro.vendor.api_level
+    vendor_api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
+    if (vendor_api_level == -1) {
+        vendor_api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
     }
-    // We really should have a VSR API level by now.  But on cuttlefish, and perhaps other weird
-    // devices, we may not.  So, we use the SDK first or current API level if needed.  If this goes
-    // wrong, it should go wrong in the direction of being too strict rather than too lenient, which
-    // should provoke someone to examine why we don't have proper VSR API level properties.
-    if (api_level == -1) {
-        api_level = ::android::base::GetIntProperty("ro.product.first_api_level", -1);
+
+    int product_api_level = ::android::base::GetIntProperty("ro.product.first_api_level", -1);
+    if (product_api_level == -1) {
+        product_api_level = ::android::base::GetIntProperty("ro.build.version.sdk", -1);
+        EXPECT_NE(product_api_level, -1) << "Could not find ro.build.version.sdk";
     }
-    if (api_level == -1) {
-        api_level = ::android::base::GetIntProperty("ro.build.version.sdk", -1);
+
+    // VSR API level is the minimum of vendor_api_level and product_api_level.
+    if (vendor_api_level == -1 || vendor_api_level > product_api_level) {
+        return product_api_level;
     }
-    EXPECT_NE(api_level, -1) << "Could not find a VSR level, or equivalent.";
-    return api_level;
+    return vendor_api_level;
 }
 
 bool is_gsi() {
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 33945fd0e5..46db4f0c78 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -1461,25 +1461,28 @@ void verify_subject(const X509* cert,       //
 }
 
 int get_vsr_api_level() {
-    int api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
-    if (api_level == -1) {
-        api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
+    int vendor_api_level = ::android::base::GetIntProperty("ro.vendor.api_level", -1);
+    if (vendor_api_level != -1) {
+        return vendor_api_level;
     }
-    if (api_level == -1) {
-        api_level = ::android::base::GetIntProperty("ro.vndk.version", -1);
+
+    // Android S and older devices do not define ro.vendor.api_level
+    vendor_api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
+    if (vendor_api_level == -1) {
+        vendor_api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
     }
-    // We really should have a VSR API level by now.  But on cuttlefish, and perhaps other weird
-    // devices, we may not.  So, we use the SDK first or current API level if needed.  If this goes
-    // wrong, it should go wrong in the direction of being too strict rather than too lenient, which
-    // should provoke someone to examine why we don't have proper VSR API level properties.
-    if (api_level == -1) {
-        api_level = ::android::base::GetIntProperty("ro.product.first_api_level", -1);
+
+    int product_api_level = ::android::base::GetIntProperty("ro.product.first_api_level", -1);
+    if (product_api_level == -1) {
+        product_api_level = ::android::base::GetIntProperty("ro.build.version.sdk", -1);
+        EXPECT_NE(product_api_level, -1) << "Could not find ro.build.version.sdk";
     }
-    if (api_level == -1) {
-        api_level = ::android::base::GetIntProperty("ro.build.version.sdk", -1);
+
+    // VSR API level is the minimum of vendor_api_level and product_api_level.
+    if (vendor_api_level == -1 || vendor_api_level > product_api_level) {
+        return product_api_level;
     }
-    EXPECT_NE(api_level, -1) << "Could not find a VSR level, or equivalent.";
-    return api_level;
+    return vendor_api_level;
 }
 
 bool is_gsi_image() {