Add a specific error code for keystore failure

Because of the keystore 2.0 migration, we expect to see one time RoR
failures in S build. Add an error code to distinguish the case.

Bug: 183140900
Test: atest FrameworksServicesTests:RebootEscrowManagerTests
Change-Id: Ieeb0ebef570cb7392f6ac47d2ad918da64869712

1 files changed, 9 insertions, 0 deletions

diff --git a/services/core/java/com/android/server/locksettings/RebootEscrowManager.java b/services/core/java/com/android/server/locksettings/RebootEscrowManager.java
index 6ffcb811ae1d..76ecc1acc7ac 100644
--- a/services/core/java/com/android/server/locksettings/RebootEscrowManager.java
+++ b/services/core/java/com/android/server/locksettings/RebootEscrowManager.java
@@ -115,6 +115,7 @@ class RebootEscrowManager {
             ERROR_RETRY_COUNT_EXHAUSTED,
             ERROR_UNLOCK_ALL_USERS,
             ERROR_PROVIDER_MISMATCH,
+            ERROR_KEYSTORE_FAILURE,
     })
     @Retention(RetentionPolicy.SOURCE)
     @interface RebootEscrowErrorCode {
@@ -127,6 +128,7 @@ class RebootEscrowManager {
     static final int ERROR_RETRY_COUNT_EXHAUSTED = 4;
     static final int ERROR_UNLOCK_ALL_USERS = 5;
     static final int ERROR_PROVIDER_MISMATCH = 6;
+    static final int ERROR_KEYSTORE_FAILURE = 7;
 
     private @RebootEscrowErrorCode int mLoadEscrowDataErrorCode = ERROR_NONE;
 
@@ -474,6 +476,13 @@ class RebootEscrowManager {
             return null;
         }
 
+        // Server based RoR always need the decryption key from keystore.
+        if (rebootEscrowProvider.getType() == RebootEscrowProviderInterface.TYPE_SERVER_BASED
+                && kk == null) {
+            mLoadEscrowDataErrorCode = ERROR_KEYSTORE_FAILURE;
+            return null;
+        }
+
         // The K_s blob maybe encrypted by K_k as well.
         RebootEscrowKey key = rebootEscrowProvider.getAndClearRebootEscrowKey(kk);
         if (key != null) {