336b5db809
If biometric unlock is enabled, we tell keystore at lock time so that a key can be set up in KM which unlocks UNLOCKED_DEVICE_REQUIRED keys based on auth tokens carrying those SIDs. This also has the effect that if there is no biometric unlock, UNLOCKED_DEVICE_REQUIRED keys have full cryptographic protection, per NIAP requirements. Test: aosp/1686345 Bug: 163866361 Change-Id: Ia4d01faa998c76b2b33ad3520730466ac59e6d8d