Fix refreshDeviceLockedForUser() to use correct trust state
TrustManagerService#refreshDeviceLockedForUser() incorrectly considers
the device to be unlocked by a trust agent whenever a trust agent has
granted trust. This ignores the conditions that
TrustManagerService#updateTrust() has for recognizing trust grants.
This code used to be correct, but it became incorrect in Android 10 when
trust agents were made to extend unlock rather than actively unlock.
The correct state is sent to Keyguard, while the incorrect state is sent
to Keystore. This would cause UnlockedDeviceRequired keys to sometimes
be usable when the device is locked, though since Android 12 this bug is
hidden by other bugs with UnlockedDeviceRequired keys that make them
unusable in many cases. However, these bugs are planned to be fixed.
Therefore, fix this bug by making refreshDeviceLockedForUser() use
mUserTrustState, which holds the user's authoritative trust state.
Bug: 296464083
Bug: 298249081
Flag: 296464083
Test: adb shell device_config put hardware_backed_security android.security.fix_unlocked_device_required_keys true
atest TrustTests
adb shell device_config put hardware_backed_security android.security.fix_unlocked_device_required_keys false
atest TrustTests
Change-Id: I0880685c23ebe71a799671fa611fafb42642fa83
diff --git a/tests/TrustTests/Android.bp b/tests/TrustTests/Android.bp
index a1b888a..c216bce 100644
--- a/tests/TrustTests/Android.bp
+++ b/tests/TrustTests/Android.bp
@@ -25,6 +25,7 @@
"androidx.test.rules",
"androidx.test.ext.junit",
"androidx.test.uiautomator_uiautomator",
+ "flag-junit",
"mockito-target-minus-junit4",
"servicestests-utils",
"truth-prebuilt",
