Flag for import of previously-emulated keys

Test: build
Bug: 283077822
Change-Id: I28f673b6eb905c2953fbb91f2658ff224ca0e21c

keystore2/aconfig/flags.aconfig

@@ -15,3 +15,11 @@ flag {
   bug: "307460850"
   is_fixed_read_only: true
 }
+
+flag {
+  name: "import_previously_emulated_keys"
+  namespace: "hardware_backed_security"
+  description: "Include support for importing keys that were previously software-emulated into KeyMint"
+  bug: "283077822"
+  is_fixed_read_only: true
+}

keystore2/src/utils.rs

@@ -367,7 +367,9 @@ where
                     km_op,
                     new_blob_handler,
                 )
-            } else if key_blob.starts_with(km_compat::KEYMASTER_BLOB_SW_PREFIX) {
+            } else if keystore2_flags::import_previously_emulated_keys()
+                && key_blob.starts_with(km_compat::KEYMASTER_BLOB_SW_PREFIX)
+            {
                 // 2) The keyblob was created in software by the km_compat C++ code because a prior
                 //    Keymaster implementation did not support ECDH (which was only added in KeyMint).
                 //
@@ -386,9 +388,10 @@ where
                     km_op,
                     new_blob_handler,
                 )
-            } else if let km_compat::KeyBlob::Wrapped(inner_keyblob) =
+            } else if let (true, km_compat::KeyBlob::Wrapped(inner_keyblob)) = (
-                km_compat::unwrap_keyblob(key_blob)
+                keystore2_flags::import_previously_emulated_keys(),
-            {
+                km_compat::unwrap_keyblob(key_blob),
+            ) {
                 // 3) The keyblob was created in software by km_compat.rs because a prior KeyMint
                 //    implementation did not support a feature present in the current KeyMint spec.
                 //    (For example, a curve 25519 key created when the device only supported KeyMint