From 60054311b369b96dc79efbab189b643af62426f5 Mon Sep 17 00:00:00 2001 From: Leon Masopust Date: Mon, 5 Jun 2023 15:03:46 +0000 Subject: [PATCH] Cleanup remote attestation policies in TpmChallengeKeySubtle Remove checks for the policies AttestationEnabledForDevice and AttestationEnabledForUser in TpmChallengeKeySubtle as these can no longer be set by admins (launch/227712). Remove test cases which verify this behavior as well. Add TODOs to cleanup usage/notion of these policies in other parts. Bug: b:277706611, b:285556135 Change-Id: I8e0271a362ba5067309d841b3327d42084efac23 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4561753 Reviewed-by: Maksim Ivanov Reviewed-by: Pavol Marko Commit-Queue: Leon Masopust Reviewed-by: Alex Ilin Cr-Commit-Position: refs/heads/main@{#1153228} --- .../ash/attestation/attestation_ca_client.cc | 1 + .../attestation/attestation_policy_observer.h | 2 + .../attestation/tpm_challenge_key_subtle.cc | 95 +++---------------- .../attestation/tpm_challenge_key_subtle.h | 8 -- .../tpm_challenge_key_subtle_unittest.cc | 38 -------- .../ash/login/saml/saml_browsertest.cc | 46 --------- .../enterprise_platform_keys_api_unittest.cc | 7 +- .../keystore_service_lacros_browsertest.cc | 8 +- chrome/common/pref_names.cc | 1 + .../settings/cros_settings_names.cc | 1 + .../AttestationEnabledForDevice.yaml | 1 + .../AttestationEnabledForUser.yaml | 1 + ...ros.lacros_chrome_browsertests.skew.filter | 3 + 13 files changed, 30 insertions(+), 182 deletions(-) diff --git a/chrome/browser/ash/attestation/attestation_ca_client.cc b/chrome/browser/ash/attestation/attestation_ca_client.cc index c087de1308208..d163cb9cfad63 100644 --- a/chrome/browser/ash/attestation/attestation_ca_client.cc +++ b/chrome/browser/ash/attestation/attestation_ca_client.cc @@ -180,6 +180,7 @@ void AttestationCAClient::OnURLLoadComplete( void AttestationCAClient::FetchURL(const std::string& url, const std::string& request, DataCallback on_response) { + // TODO(b/285556135): Remove mention of DeviceAttestationEnabled const net::NetworkTrafficAnnotationTag traffic_annotation = net::DefineNetworkTrafficAnnotation("attestation_ca_client", R"( semantics { diff --git a/chrome/browser/ash/attestation/attestation_policy_observer.h b/chrome/browser/ash/attestation/attestation_policy_observer.h index 21e66734a72e6..68e8022c6c819 100644 --- a/chrome/browser/ash/attestation/attestation_policy_observer.h +++ b/chrome/browser/ash/attestation/attestation_policy_observer.h @@ -15,6 +15,8 @@ namespace attestation { class MachineCertificateUploader; +// TODO(b/285556135): Replace this observer with another trigger which starts +// the certificate upload as soon as device policies are available. // A class which observes policy changes and uploads a certificate if necessary. class AttestationPolicyObserver { public: diff --git a/chrome/browser/ash/attestation/tpm_challenge_key_subtle.cc b/chrome/browser/ash/attestation/tpm_challenge_key_subtle.cc index 990a0c061cc38..4dbfbb9cd0293 100644 --- a/chrome/browser/ash/attestation/tpm_challenge_key_subtle.cc +++ b/chrome/browser/ash/attestation/tpm_challenge_key_subtle.cc @@ -101,9 +101,12 @@ bool IsEnterpriseDevice() { return InstallAttributes::Get()->IsEnterpriseManaged(); } -// For personal devices, we don't need to check if remote attestation is -// enabled in the device, but we need to ask for user consent if the key -// does not exist. +// For unmanaged devices we need to ask for user consent if the key does not +// exist because data will be sent to the PCA. +// Historical note: For managed device there used to be policies to control this +// (AttestationEnabledForUser,AttestationEnabledForDevice) but they were removed +// from the client after having been set to true unconditionally for all clients +// for a long time. bool IsUserConsentRequired() { return !IsEnterpriseDevice(); } @@ -254,10 +257,13 @@ void TpmChallengeKeySubtleImpl::PrepareMachineKey() { return; } - // Check if remote attestation is enabled in the device policy. - GetDeviceAttestationEnabled(base::BindRepeating( - &TpmChallengeKeySubtleImpl::GetDeviceAttestationEnabledCallback, - weak_factory_.GetWeakPtr())); + // Wait for the machine certificate to be uploaded. + if (machine_certificate_uploader_) { + machine_certificate_uploader_->WaitForUploadComplete(base::BindOnce( + &TpmChallengeKeySubtleImpl::PrepareKey, weak_factory_.GetWeakPtr())); + } else { + PrepareKey(true); + } } void TpmChallengeKeySubtleImpl::PrepareUserKey() { @@ -270,26 +276,15 @@ void TpmChallengeKeySubtleImpl::PrepareUserKey() { return; } - if (!IsRemoteAttestationEnabledForUser()) { - std::move(callback_).Run( - Result::MakeError(ResultCode::kUserPolicyDisabledError)); - return; - } - if (IsEnterpriseDevice()) { if (!IsUserAffiliated()) { std::move(callback_).Run( Result::MakeError(ResultCode::kUserNotManagedError)); return; } - - // Check if remote attestation is enabled in the device policy. - GetDeviceAttestationEnabled(base::BindRepeating( - &TpmChallengeKeySubtleImpl::GetDeviceAttestationEnabledCallback, - weak_factory_.GetWeakPtr())); - } else { - GetDeviceAttestationEnabledCallback(true); } + + PrepareKey(true); } bool TpmChallengeKeySubtleImpl::IsUserAffiliated() const { @@ -302,17 +297,6 @@ bool TpmChallengeKeySubtleImpl::IsUserAffiliated() const { return false; } -bool TpmChallengeKeySubtleImpl::IsRemoteAttestationEnabledForUser() const { - DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); - DCHECK(profile_); - - PrefService* prefs = profile_->GetPrefs(); - if (prefs && prefs->IsManagedPreference(prefs::kAttestationEnabled)) { - return prefs->GetBoolean(prefs::kAttestationEnabled); - } - return false; -} - std::string TpmChallengeKeySubtleImpl::GetEmail() const { DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); @@ -378,55 +362,6 @@ std::string TpmChallengeKeySubtleImpl::GetUsernameForAttestationClient() const { return std::string(); } -void TpmChallengeKeySubtleImpl::GetDeviceAttestationEnabled( - const base::RepeatingCallback& callback) { - DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); - - CrosSettings* settings = CrosSettings::Get(); - CrosSettingsProvider::TrustedStatus status = settings->PrepareTrustedValues( - base::BindOnce(&TpmChallengeKeySubtleImpl::GetDeviceAttestationEnabled, - weak_factory_.GetWeakPtr(), callback)); - - bool value = false; - switch (status) { - case CrosSettingsProvider::TRUSTED: - if (!settings->GetBoolean(kDeviceAttestationEnabled, &value)) { - value = false; - } - break; - case CrosSettingsProvider::TEMPORARILY_UNTRUSTED: - // Do nothing. This function will be called again when the values are - // ready. - return; - case CrosSettingsProvider::PERMANENTLY_UNTRUSTED: - // If the value cannot be trusted, we assume that the device attestation - // is false to be on the safe side. - break; - } - - callback.Run(value); -} - -void TpmChallengeKeySubtleImpl::GetDeviceAttestationEnabledCallback( - bool enabled) { - DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); - - if (!enabled) { - std::move(callback_).Run( - Result::MakeError(ResultCode::kDevicePolicyDisabledError)); - return; - } - - // Only the device challenge depends on the certificate to be uploaded. - if ((key_type_ == AttestationKeyType::KEY_DEVICE) && - machine_certificate_uploader_) { - machine_certificate_uploader_->WaitForUploadComplete(base::BindOnce( - &TpmChallengeKeySubtleImpl::PrepareKey, weak_factory_.GetWeakPtr())); - } else { - PrepareKey(true); - } -} - void TpmChallengeKeySubtleImpl::PrepareKey(bool can_continue) { DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); diff --git a/chrome/browser/ash/attestation/tpm_challenge_key_subtle.h b/chrome/browser/ash/attestation/tpm_challenge_key_subtle.h index d6186e8c6f579..7e142489a9fc7 100644 --- a/chrome/browser/ash/attestation/tpm_challenge_key_subtle.h +++ b/chrome/browser/ash/attestation/tpm_challenge_key_subtle.h @@ -173,8 +173,6 @@ class TpmChallengeKeySubtleImpl final : public TpmChallengeKeySubtle { // If this is a device-wide instance without a user-associated |profile_|, // returns false. bool IsUserAffiliated() const; - // Returns true if remote attestation is allowed and the setting is managed. - bool IsRemoteAttestationEnabledForUser() const; // Returns the user email (for user key) or an empty string (for machine key). std::string GetEmail() const; @@ -205,12 +203,6 @@ class TpmChallengeKeySubtleImpl final : public TpmChallengeKeySubtle { const ::attestation::RegisterKeyWithChapsTokenReply& reply); void MarkCorporateKeyCallback(chromeos::platform_keys::Status status); - // Returns a trusted value from CrosSettings indicating if the device - // attestation is enabled. - void GetDeviceAttestationEnabled( - const base::RepeatingCallback& callback); - void GetDeviceAttestationEnabledCallback(bool enabled); - void GetEnrollmentPreparationsCallback( const ::attestation::GetEnrollmentPreparationsReply& reply); void PrepareKeyErrorHandlerCallback( diff --git a/chrome/browser/ash/attestation/tpm_challenge_key_subtle_unittest.cc b/chrome/browser/ash/attestation/tpm_challenge_key_subtle_unittest.cc index 53e82cf13738d..33079175984e8 100644 --- a/chrome/browser/ash/attestation/tpm_challenge_key_subtle_unittest.cc +++ b/chrome/browser/ash/attestation/tpm_challenge_key_subtle_unittest.cc @@ -272,16 +272,11 @@ void TpmChallengeKeySubtleTestBase::SetUp() { break; case TestProfileChoice::kAffiliatedProfile: testing_profile_ = CreateUserProfile(/*is_affiliated=*/true); - testing_profile_->GetTestingPrefService()->SetManagedPref( - prefs::kAttestationEnabled, std::make_unique(true)); break; } GetInstallAttributes()->SetCloudManaged("google.com", "device_id"); - GetCrosSettingsHelper()->ReplaceDeviceSettingsProviderWithStub(); - GetCrosSettingsHelper()->SetBoolean(kDeviceAttestationEnabled, true); - system_token_key_permissions_manager_ = std::make_unique(); platform_keys::KeyPermissionsManagerImpl:: @@ -457,16 +452,6 @@ TEST_P(DeviceKeysAccessTpmChallengeKeySubtleTest, TpmChallengeKeyResultCode::kNonEnterpriseDeviceError)); } -TEST_P(DeviceKeysAccessTpmChallengeKeySubtleTest, - DeviceKeyDeviceAttestationDisabled) { - GetCrosSettingsHelper()->SetBoolean(kDeviceAttestationEnabled, false); - - RunOneStepAndExpect( - KEY_DEVICE, /*will_register_key=*/false, kEmptyKeyName, - TpmChallengeKeyResult::MakeError( - TpmChallengeKeyResultCode::kDevicePolicyDisabledError)); -} - TEST_F(UnaffiliatedUserTpmChallengeKeySubtleTest, DeviceKeyUserNotManaged) { RunOneStepAndExpect(KEY_DEVICE, /*will_register_key=*/false, kEmptyKeyName, @@ -481,37 +466,14 @@ TEST_F(SigninProfileTpmChallengeKeySubtleTest, UserKeyUserKeyNotAvailable) { TpmChallengeKeyResultCode::kUserKeyNotAvailableError)); } -TEST_F(AffiliatedUserTpmChallengeKeySubtleTest, UserKeyUserPolicyDisabled) { - GetProfile()->GetTestingPrefService()->SetManagedPref( - prefs::kAttestationEnabled, std::make_unique(false)); - - RunOneStepAndExpect(KEY_USER, - /*will_register_key=*/false, kEmptyKeyName, - TpmChallengeKeyResult::MakeError( - TpmChallengeKeyResultCode::kUserPolicyDisabledError)); -} - // Checks that a user should be affiliated with a device TEST_F(UnaffiliatedUserTpmChallengeKeySubtleTest, UserKeyUserNotAffiliated) { - GetProfile()->GetTestingPrefService()->SetManagedPref( - prefs::kAttestationEnabled, std::make_unique(true)); - RunOneStepAndExpect(KEY_USER, /*will_register_key=*/false, kEmptyKeyName, TpmChallengeKeyResult::MakeError( TpmChallengeKeyResultCode::kUserNotManagedError)); } -TEST_F(AffiliatedUserTpmChallengeKeySubtleTest, - UserKeyDeviceAttestationDisabled) { - GetCrosSettingsHelper()->SetBoolean(kDeviceAttestationEnabled, false); - - RunOneStepAndExpect( - KEY_USER, /*will_register_key=*/false, kEmptyKeyName, - TpmChallengeKeyResult::MakeError( - TpmChallengeKeyResultCode::kDevicePolicyDisabledError)); -} - TEST_P(DeviceKeysAccessTpmChallengeKeySubtleTest, DoesKeyExistDbusFailed) { AttestationClient::Get() ->GetTestInterface() diff --git a/chrome/browser/ash/login/saml/saml_browsertest.cc b/chrome/browser/ash/login/saml/saml_browsertest.cc index 9d55ad5314b6e..9d1d73084f642 100644 --- a/chrome/browser/ash/login/saml/saml_browsertest.cc +++ b/chrome/browser/ash/login/saml/saml_browsertest.cc @@ -2013,26 +2013,9 @@ IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationTest, ASSERT_FALSE(fake_saml_idp()->IsLastChallengeResponseExists()); } -// Verify that device attestation is not available when device attestation is -// not enabled. -IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, - DeviceAttestationNotEnabledError) { - SetAllowedUrlsPolicy({fake_saml_idp()->GetIdpHost()}); - - StartSamlAndWaitForIdpPageLoad( - saml_test_users::kFourthUserCorpExampleTestEmail); - - if (Test::HasFailure()) { - return; - } - - ASSERT_FALSE(fake_saml_idp()->IsLastChallengeResponseExists()); -} - // Verify that device attestation works when all policies configured correctly. IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, Success) { SetAllowedUrlsPolicy({fake_saml_idp()->GetIdpHost()}); - settings_provider_->SetBoolean(kDeviceAttestationEnabled, true); StartSamlAndWaitForIdpPageLoad( saml_test_users::kFourthUserCorpExampleTestEmail); @@ -2052,7 +2035,6 @@ IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, Success) { // allowed URLs list. IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, PolicyNoMatchError) { SetAllowedUrlsPolicy({fake_saml_idp()->GetIdpDomain()}); - settings_provider_->SetBoolean(kDeviceAttestationEnabled, true); StartSamlAndWaitForIdpPageLoad( saml_test_users::kFourthUserCorpExampleTestEmail); @@ -2070,7 +2052,6 @@ IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, PolicyNoMatchError) { // from allowed URLs list. IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, PolicyRegexSuccess) { SetAllowedUrlsPolicy({"[*.]" + fake_saml_idp()->GetIdpDomain()}); - settings_provider_->SetBoolean(kDeviceAttestationEnabled, true); StartSamlAndWaitForIdpPageLoad( saml_test_users::kFourthUserCorpExampleTestEmail); @@ -2091,7 +2072,6 @@ IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, PolicyRegexSuccess) { IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, PolicyTwoEntriesSuccess) { SetAllowedUrlsPolicy({"example2.com", fake_saml_idp()->GetIdpHost()}); - settings_provider_->SetBoolean(kDeviceAttestationEnabled, true); StartSamlAndWaitForIdpPageLoad( saml_test_users::kFourthUserCorpExampleTestEmail); @@ -2115,7 +2095,6 @@ IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, SetAllowedUrlsPolicy({fake_saml_idp()->GetIdpHost()}); SetDeviceContextAwareAccessSignalsAllowlistPolicy( {fake_saml_idp()->GetIdpHost()}); - settings_provider_->SetBoolean(kDeviceAttestationEnabled, true); StartSamlAndWaitForIdpPageLoad( saml_test_users::kFourthUserCorpExampleTestEmail); @@ -2139,7 +2118,6 @@ IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, IN_PROC_BROWSER_TEST_F(SAMLDeviceAttestationEnrolledTest, TimeoutError) { SetAllowedUrlsPolicy({"example2.com", fake_saml_idp()->GetIdpHost()}); - settings_provider_->SetBoolean(kDeviceAttestationEnabled, true); AttestationClient::Get() ->GetTestInterface() @@ -2176,12 +2154,6 @@ class SAMLDeviceTrustTest : public SAMLDeviceAttestationTest, DeviceStateMixin::State::OOBE_COMPLETED_CLOUD_ENROLLED); } - void SetUpInProcessBrowserTestFixture() override { - SAMLDeviceAttestationTest::SetUpInProcessBrowserTestFixture(); - // Enable device trust feature. - settings_provider_->SetBoolean(kDeviceAttestationEnabled, true); - } - void ExpectDeviceTrustSuccessful(bool expected) { ASSERT_EQ(fake_saml_idp()->DeviceTrustHeaderRecieved(), expected); ASSERT_EQ(fake_saml_idp()->IsLastChallengeResponseExists(), expected); @@ -2249,24 +2221,6 @@ IN_PROC_BROWSER_TEST_P(SAMLDeviceTrustEnrolledTest, EmptyPolicy) { ASSERT_FALSE(fake_saml_idp()->DeviceTrustHeaderRecieved()); } -// Verify that device trust is not available when device trust is -// not enabled. -IN_PROC_BROWSER_TEST_P(SAMLDeviceTrustEnrolledTest, - DeviceTrustNotEnabledError) { - SetDeviceContextAwareAccessSignalsAllowlistPolicy( - {fake_saml_idp()->GetIdpHost()}); - settings_provider_->SetBoolean(kDeviceAttestationEnabled, false); - - StartSamlAndWaitForIdpPageLoad( - saml_test_users::kSixthUserCorpExampleTestEmail); - - if (Test::HasFailure()) { - return; - } - - ASSERT_FALSE(fake_saml_idp()->IsLastChallengeResponseExists()); -} - // Verify that device trust is available for URLs that match a pattern // from allowed URLs list. IN_PROC_BROWSER_TEST_P(SAMLDeviceTrustEnrolledTest, PolicyRegexSuccess) { diff --git a/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api_unittest.cc b/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api_unittest.cc index 3636dc8917dd5..fbee9afbc3b31 100644 --- a/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api_unittest.cc +++ b/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api_unittest.cc @@ -277,12 +277,7 @@ class EPKChallengeUserKeyTest : public EPKChallengeKeyTestBase { func_->set_extension(extension_.get()); } - void SetUp() override { - EPKChallengeKeyTestBase::SetUp(); - - // Set the user preferences. - prefs_->SetBoolean(prefs::kAttestationEnabled, true); - } + void SetUp() override { EPKChallengeKeyTestBase::SetUp(); } base::Value::List CreateArgs() { return CreateArgsInternal(true); } diff --git a/chrome/browser/lacros/keystore_service_lacros_browsertest.cc b/chrome/browser/lacros/keystore_service_lacros_browsertest.cc index 3e2eccd90d380..1628069c2ae3f 100644 --- a/chrome/browser/lacros/keystore_service_lacros_browsertest.cc +++ b/chrome/browser/lacros/keystore_service_lacros_browsertest.cc @@ -170,11 +170,11 @@ IN_PROC_BROWSER_TEST_F(KeystoreServiceLacrosBrowserTest, WrongFormattingUser) { ASSERT_TRUE(result->is_error_message()); - // TODO(https://crbug.com/1134349): Currently this errors out because remote - // attestation is disabled. We want this to error out because of a poorly - // formatted attestation message. + // TODO(https://crbug.com/1134349): Currently this errors out because the + // device is not enterprise enrolled. We want this to error out because of a + // poorly formatted attestation message. const char expected_error_message[] = - "Remote attestation is not enabled for your account."; + "Failed to get Enterprise certificate. Error code = 2"; EXPECT_EQ(expected_error_message, result->get_error_message()); } diff --git a/chrome/common/pref_names.cc b/chrome/common/pref_names.cc index 858e4ddf6649e..774fb245a4c58 100644 --- a/chrome/common/pref_names.cc +++ b/chrome/common/pref_names.cc @@ -572,6 +572,7 @@ const char kLastSessionLength[] = "session.last_session_length"; // honored for public accounts. const char kTermsOfServiceURL[] = "terms_of_service.url"; +// TODO(b/285556135): Remove this pref together with AttestationEnabledForUser // Indicates whether the remote attestation is enabled for the user. const char kAttestationEnabled[] = "attestation.enabled"; diff --git a/chromeos/ash/components/settings/cros_settings_names.cc b/chromeos/ash/components/settings/cros_settings_names.cc index 7da4977069b33..b69bbfee4d751 100644 --- a/chromeos/ash/components/settings/cros_settings_names.cc +++ b/chromeos/ash/components/settings/cros_settings_names.cc @@ -303,6 +303,7 @@ const char kFeatureFlags[] = "cros.feature_flags"; const char kVariationsRestrictParameter[] = "cros.variations_restrict_parameter"; +// TODO(b/285556135): Remove this pref together with AttestationEnabledForDevice // A boolean pref that indicates whether enterprise attestation is enabled for // the device. const char kDeviceAttestationEnabled[] = "cros.device.attestation_enabled"; diff --git a/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForDevice.yaml b/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForDevice.yaml index 8da0c3aa16d78..8b8edb7a0d526 100644 --- a/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForDevice.yaml +++ b/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForDevice.yaml @@ -1,3 +1,4 @@ +# TODO(b/285556135): Remove or deprecate this policy caption: Enable remote attestation for the device desc: |- Setting the policy to Enabled allows remote attestation for the device. A certificate is automatically generated and uploaded to the Device Management Server. diff --git a/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForUser.yaml b/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForUser.yaml index 58b15f7916ede..2572fd09a3746 100644 --- a/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForUser.yaml +++ b/components/policy/resources/templates/policy_definitions/Attestation/AttestationEnabledForUser.yaml @@ -1,3 +1,4 @@ +# TODO(b/285556135): Remove or deprecate this policy caption: Enable remote attestation for the user desc: |- Setting the policy to Enabled lets users use the hardware on $2Google ChromeOS devices to remotely attest its identity to the privacy CA through the Enterprise Platform Keys API using chrome.enterprise.platformKeys.challengeUserKey(). diff --git a/testing/buildbot/filters/linux-lacros.lacros_chrome_browsertests.skew.filter b/testing/buildbot/filters/linux-lacros.lacros_chrome_browsertests.skew.filter index ec174cf1152d1..d463b0613c57b 100644 --- a/testing/buildbot/filters/linux-lacros.lacros_chrome_browsertests.skew.filter +++ b/testing/buildbot/filters/linux-lacros.lacros_chrome_browsertests.skew.filter @@ -7,3 +7,6 @@ # as "idle" when connecting a new service. -NetworkingPrivateChromeOSApiTest.OnNetworksChangedEventConnect +# ash-chrome < 116 checks the policy AttestationEnabledForUser when building a +# response for a Verified Access challenge which leads to a different error. +-KeystoreServiceLacrosBrowserTest.WrongFormattingUser