Add "Unlocked device required" key API

    public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;

    public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;

    public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508;

    public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509;

    public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;

    public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;

    public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;

    public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;

    public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;

    public static final int KM_ERROR_DEVICE_LOCKED = -72;

    public static final int KM_ERROR_UNIMPLEMENTED = -100;

    public static final int KM_ERROR_VERSION_MISMATCH = -101;

    public static final int KM_ERROR_UNKNOWN_ERROR = -1000;

        sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,

                "Invalid MAC or authentication tag length");

        sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");

        sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");

        sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");

        sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");

    }

    /**

     * Attempt to lock the keystore for {@code user}.

     *

     * @param user Android user to lock.

     * @param userId Android user to lock.

     * @return whether {@code user}'s keystore was locked.

     */

    public boolean lock(int userId) {

     * This is required before keystore entries created with FLAG_ENCRYPTED can be accessed or

     * created.

     *

     * @param user Android user ID to operate on

     * @param userId Android user ID to operate on

     * @param password user's keystore password. Should be the most recent value passed to

     * {@link #onUserPasswordChanged} for the user.

     *

        try {

            args = args != null ? args : new KeymasterArguments();

            entropy = entropy != null ? entropy : new byte[0];

            // TODO(67752510): Apply USER_ID tag

            return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);

        } catch (RemoteException e) {

            Log.w(TAG, "Cannot connect to keystore", e);

    private final boolean mInvalidatedByBiometricEnrollment;

    private final boolean mIsStrongBoxBacked;

    private final boolean mUserConfirmationRequired;

    private final boolean mUnlockedDeviceRequired;

    /**

     * @hide should be built with Builder

            boolean userAuthenticationValidWhileOnBody,

            boolean invalidatedByBiometricEnrollment,

            boolean isStrongBoxBacked,

            boolean userConfirmationRequired) {

            boolean userConfirmationRequired,

            boolean unlockedDeviceRequired) {

        if (TextUtils.isEmpty(keyStoreAlias)) {

            throw new IllegalArgumentException("keyStoreAlias must not be empty");

        }

        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;

        mIsStrongBoxBacked = isStrongBoxBacked;

        mUserConfirmationRequired = userConfirmationRequired;

        mUnlockedDeviceRequired = unlockedDeviceRequired;

    }

    /**

        return mIsStrongBoxBacked;

    }

    /**

     * @hide Returns {@code true} if the key cannot be used unless the device screen is unlocked.

     *

     * @see Builder#setUnlockedDeviceRequired(boolean)

     */

    public boolean isUnlockedDeviceRequired() {

        return mUnlockedDeviceRequired;

    }

    /**

     * @hide

     */

        private boolean mInvalidatedByBiometricEnrollment = true;

        private boolean mIsStrongBoxBacked = false;

        private boolean mUserConfirmationRequired;

        private boolean mUnlockedDeviceRequired = false;

        /**

         * Creates a new instance of the {@code Builder}.

            return this;

        }

        /**

         * @hide Sets whether the keystore requires the screen to be unlocked before allowing decryption

         * using this key. If this is set to {@code true}, any attempt to decrypt using this key

         * while the screen is locked will fail. A locked device requires a PIN, password,

         * fingerprint, or other trusted factor to access.

         */

        @NonNull

        public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {

            mUnlockedDeviceRequired = unlockedDeviceRequired;

            return this;

        }

        /**

         * Builds an instance of {@code KeyGenParameterSpec}.

         */

                    mUserAuthenticationValidWhileOnBody,

                    mInvalidatedByBiometricEnrollment,

                    mIsStrongBoxBacked,

                    mUserConfirmationRequired);

                    mUserConfirmationRequired,

                    mUnlockedDeviceRequired);

        }

    }

}

    private final boolean mRandomizedEncryptionRequired;

    private final boolean mUserAuthenticationRequired;

    private final int mUserAuthenticationValidityDurationSeconds;

    private final boolean mTrustedUserPresenceRequred;

    private final boolean mTrustedUserPresenceRequired;

    private final boolean mUserAuthenticationValidWhileOnBody;

    private final boolean mInvalidatedByBiometricEnrollment;

    private final long mBoundToSecureUserId;

    private final boolean mCriticalToDeviceEncryption;

    private final boolean mUserConfirmationRequired;

    private final boolean mUnlockedDeviceRequired;

    private KeyProtection(

            Date keyValidityStart,

            boolean randomizedEncryptionRequired,

            boolean userAuthenticationRequired,

            int userAuthenticationValidityDurationSeconds,

            boolean trustedUserPresenceRequred,

            boolean trustedUserPresenceRequired,

            boolean userAuthenticationValidWhileOnBody,

            boolean invalidatedByBiometricEnrollment,

            long boundToSecureUserId,

            boolean criticalToDeviceEncryption,

            boolean userConfirmationRequired) {

            boolean userConfirmationRequired,

            boolean unlockedDeviceRequired) {

        mKeyValidityStart = Utils.cloneIfNotNull(keyValidityStart);

        mKeyValidityForOriginationEnd = Utils.cloneIfNotNull(keyValidityForOriginationEnd);

        mKeyValidityForConsumptionEnd = Utils.cloneIfNotNull(keyValidityForConsumptionEnd);

        mRandomizedEncryptionRequired = randomizedEncryptionRequired;

        mUserAuthenticationRequired = userAuthenticationRequired;

        mUserAuthenticationValidityDurationSeconds = userAuthenticationValidityDurationSeconds;

        mTrustedUserPresenceRequred = trustedUserPresenceRequred;

        mTrustedUserPresenceRequired = trustedUserPresenceRequired;

        mUserAuthenticationValidWhileOnBody = userAuthenticationValidWhileOnBody;

        mInvalidatedByBiometricEnrollment = invalidatedByBiometricEnrollment;

        mBoundToSecureUserId = boundToSecureUserId;

        mCriticalToDeviceEncryption = criticalToDeviceEncryption;

        mUserConfirmationRequired = userConfirmationRequired;

        mUnlockedDeviceRequired = unlockedDeviceRequired;

    }

    /**

     * been performed between the {@code Signature.initSign()} and {@code Signature.sign()} calls.

     */

    public boolean isTrustedUserPresenceRequired() {

        return mTrustedUserPresenceRequred;

        return mTrustedUserPresenceRequired;

    }

    /**

        return mCriticalToDeviceEncryption;

    }

    /**

     * @hide Returns {@code true} if the key cannot be used unless the device screen is unlocked.

     *

     * @see Builder#setUnlockedDeviceRequired(boolean)

     */

    public boolean isUnlockedDeviceRequired() {

        return mUnlockedDeviceRequired;

    }

    /**

     * Builder of {@link KeyProtection} instances.

     */

        private boolean mUserAuthenticationValidWhileOnBody;

        private boolean mInvalidatedByBiometricEnrollment = true;

        private boolean mUserConfirmationRequired;

        private boolean mUnlockedDeviceRequired = false;

        private long mBoundToSecureUserId = GateKeeper.INVALID_SECURE_USER_ID;

        private boolean mCriticalToDeviceEncryption = false;

            return this;

        }

        /**

         * @hide Sets whether the keystore requires the screen to be unlocked before allowing decryption

         * using this key. If this is set to {@code true}, any attempt to decrypt using this key

         * while the screen is locked will fail. A locked device requires a PIN, password,

         * fingerprint, or other trusted factor to access.

         */

        @NonNull

        public Builder setUnlockedDeviceRequired(boolean unlockedDeviceRequired) {

            mUnlockedDeviceRequired = unlockedDeviceRequired;

            return this;

        }

        /**

         * Builds an instance of {@link KeyProtection}.

         *

                    mInvalidatedByBiometricEnrollment,

                    mBoundToSecureUserId,

                    mCriticalToDeviceEncryption,

                    mUserConfirmationRequired);

                    mUserConfirmationRequired,

                    mUnlockedDeviceRequired);

        }

    }

}

     *         state (e.g., secure lock screen not set up) for generating or importing keys that

     *         require user authentication.

     */

    public static void addUserAuthArgs(KeymasterArguments args,

            UserAuthArgs spec) {

    public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) {

        // TODO (67752510): Implement "unlocked device required"

        if (spec.isUserConfirmationRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);

        }