Add deviceLocked to VerificationResult.Success

PiperOrigin-RevId: 905126495

Author: Android HW Trust Team

src/main/kotlin/Verifier.kt

@@ -48,6 +48,7 @@ sealed interface VerificationResult {
     val challenge: ByteString,
     val securityLevel: SecurityLevel,
     val verifiedBootState: VerifiedBootState,
+    val deviceLocked: Boolean,
     val deviceInformation: ProvisioningInfoMap?,
     val attestedDeviceIds: DeviceIdentity,
   ) : VerificationResult
@@ -305,12 +306,14 @@ constructor(
       minOf(keyDescription.attestationSecurityLevel, keyDescription.keyMintSecurityLevel)
     val rootOfTrust = keyDescription.hardwareEnforced.rootOfTrust
     val verifiedBootState = rootOfTrust?.verifiedBootState ?: VerifiedBootState.UNVERIFIED
+    val deviceLocked = rootOfTrust?.deviceLocked ?: false
 
     return VerificationResult.Success(
       pathValidationResult.publicKey,
       keyDescription.attestationChallenge,
       securityLevel,
       verifiedBootState,
+      deviceLocked,
       deviceInformation,
       DeviceIdentity.parseFrom(keyDescription),
     )

src/test/kotlin/VerifierTest.kt

@@ -82,6 +82,8 @@ class VerifierTest {
     assertThat(result.securityLevel).isEqualTo(json.attestationSecurityLevel)
     assertThat(result.verifiedBootState)
       .isEqualTo(json.hardwareEnforced.rootOfTrust?.verifiedBootState)
+    assertThat(result.deviceLocked)
+      .isEqualTo(json.hardwareEnforced.rootOfTrust?.deviceLocked ?: false)
   }
 
   enum class TestCase(val path: String, val timestamp: Instant) {