Merge "[VTS] Update allocator name for AIDL allocator." into tm-dev
diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
index bf56860..bdaaf96 100644
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@@ -27,6 +27,7 @@
#include <openssl/mem.h>
#include <openssl/x509.h>
+#include <android-base/properties.h>
#include <cutils/properties.h>
#include <keymasterV4_0/attestation_record.h>
@@ -386,6 +387,28 @@
return property_get("ro.boot.vbmeta.device_state", value, "") != 0;
}
+int get_vsr_api_level() {
+ int api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
+ if (api_level == -1) {
+ api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
+ }
+ if (api_level == -1) {
+ api_level = ::android::base::GetIntProperty("ro.vndk.version", -1);
+ }
+ // We really should have a VSR API level by now. But on cuttlefish, and perhaps other weird
+ // devices, we may not. So, we use the SDK first or current API level if needed. If this goes
+ // wrong, it should go wrong in the direction of being too strict rather than too lenient, which
+ // should provoke someone to examine why we don't have proper VSR API level properties.
+ if (api_level == -1) {
+ api_level = ::android::base::GetIntProperty("ro.product.first_api_level", -1);
+ }
+ if (api_level == -1) {
+ api_level = ::android::base::GetIntProperty("ro.build.version.sdk", -1);
+ }
+ EXPECT_NE(api_level, -1) << "Could not find a VSR level, or equivalent.";
+ return api_level;
+}
+
bool is_gsi() {
char property_value[PROPERTY_VALUE_MAX] = {};
EXPECT_NE(property_get("ro.product.system.name", property_value, ""), 0);
@@ -4833,6 +4856,18 @@
INSTANTIATE_KEYMASTER_HIDL_TEST(TransportLimitTest);
+using VsrRequirementTest = KeymasterHidlTest;
+
+TEST_P(VsrRequirementTest, Vsr13Test) {
+ int vsr_api_level = get_vsr_api_level();
+ if (vsr_api_level < 33) {
+ GTEST_SKIP() << "Applies only to VSR API level 33, this device is: " << vsr_api_level;
+ }
+ FAIL() << "VSR 13+ requires KeyMint version 2";
+}
+
+INSTANTIATE_KEYMASTER_HIDL_TEST(VsrRequirementTest);
+
} // namespace test
} // namespace V4_0
} // namespace keymaster
diff --git a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
index da02d54..95a3710 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/IKeyMintDevice.aidl
@@ -873,7 +873,7 @@
* The returned data is an encoded COSE_Mac0 structure, denoted MacedRootOfTrust in the
* following CDDL schema. Note that K_mac is the shared HMAC key used for auth tokens, etc.:
*
- * MacedRootOfTrust = [ ; COSE_Mac0 (untagged)
+ * MacedRootOfTrust = #6.17 [ ; COSE_Mac0 (tagged)
* protected: bstr .cbor {
* 1 : 5, ; Algorithm : HMAC-256
* },
@@ -891,7 +891,7 @@
* payload : bstr .cbor RootOfTrust,
* ]
*
- * RootOfTrust = [
+ * RootOfTrust = #6.40001 [ ; Tag 40001 indicates RoT v1.
* verifiedBootKey : bstr .size 32,
* deviceLocked : bool,
* verifiedBootState : &VerifiedBootState,
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index be21994..33945fd 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -31,7 +31,6 @@
#include <remote_prov/remote_prov_utils.h>
#include <keymaster/cppcose/cppcose.h>
-#include <keymint_support/attestation_record.h>
#include <keymint_support/key_param_output.h>
#include <keymint_support/keymint_utils.h>
#include <keymint_support/openssl_utils.h>
@@ -1461,6 +1460,28 @@
OPENSSL_free(cert_issuer);
}
+int get_vsr_api_level() {
+ int api_level = ::android::base::GetIntProperty("ro.board.api_level", -1);
+ if (api_level == -1) {
+ api_level = ::android::base::GetIntProperty("ro.board.first_api_level", -1);
+ }
+ if (api_level == -1) {
+ api_level = ::android::base::GetIntProperty("ro.vndk.version", -1);
+ }
+ // We really should have a VSR API level by now. But on cuttlefish, and perhaps other weird
+ // devices, we may not. So, we use the SDK first or current API level if needed. If this goes
+ // wrong, it should go wrong in the direction of being too strict rather than too lenient, which
+ // should provoke someone to examine why we don't have proper VSR API level properties.
+ if (api_level == -1) {
+ api_level = ::android::base::GetIntProperty("ro.product.first_api_level", -1);
+ }
+ if (api_level == -1) {
+ api_level = ::android::base::GetIntProperty("ro.build.version.sdk", -1);
+ }
+ EXPECT_NE(api_level, -1) << "Could not find a VSR level, or equivalent.";
+ return api_level;
+}
+
bool is_gsi_image() {
std::ifstream ifs("/system/system_ext/etc/init/init.gsi.rc");
return ifs.good();
@@ -1497,6 +1518,60 @@
verify_subject(cert.get(), subject, self_signed);
}
+void verify_root_of_trust(const vector<uint8_t>& verified_boot_key, bool device_locked,
+ VerifiedBoot verified_boot_state,
+ const vector<uint8_t>& verified_boot_hash) {
+ char property_value[PROPERTY_VALUE_MAX] = {};
+
+ if (avb_verification_enabled()) {
+ EXPECT_NE(property_get("ro.boot.vbmeta.digest", property_value, ""), 0);
+ string prop_string(property_value);
+ EXPECT_EQ(prop_string.size(), 64);
+ EXPECT_EQ(prop_string, bin2hex(verified_boot_hash));
+
+ EXPECT_NE(property_get("ro.boot.vbmeta.device_state", property_value, ""), 0);
+ if (!strcmp(property_value, "unlocked")) {
+ EXPECT_FALSE(device_locked);
+ } else {
+ EXPECT_TRUE(device_locked);
+ }
+
+ // Check that the device is locked if not debuggable, e.g., user build
+ // images in CTS. For VTS, debuggable images are used to allow adb root
+ // and the device is unlocked.
+ if (!property_get_bool("ro.debuggable", false)) {
+ EXPECT_TRUE(device_locked);
+ } else {
+ EXPECT_FALSE(device_locked);
+ }
+ }
+
+ // Verified boot key should be all 0's if the boot state is not verified or self signed
+ std::string empty_boot_key(32, '\0');
+ std::string verified_boot_key_str((const char*)verified_boot_key.data(),
+ verified_boot_key.size());
+ EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0);
+ if (!strcmp(property_value, "green")) {
+ EXPECT_EQ(verified_boot_state, VerifiedBoot::VERIFIED);
+ EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
+ verified_boot_key.size()));
+ } else if (!strcmp(property_value, "yellow")) {
+ EXPECT_EQ(verified_boot_state, VerifiedBoot::SELF_SIGNED);
+ EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
+ verified_boot_key.size()));
+ } else if (!strcmp(property_value, "orange")) {
+ EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);
+ EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
+ verified_boot_key.size()));
+ } else if (!strcmp(property_value, "red")) {
+ EXPECT_EQ(verified_boot_state, VerifiedBoot::FAILED);
+ } else {
+ EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);
+ EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
+ verified_boot_key.size()));
+ }
+}
+
bool verify_attestation_record(int32_t aidl_version, //
const string& challenge, //
const string& app_id, //
@@ -1551,8 +1626,6 @@
EXPECT_EQ(security_level, att_keymint_security_level);
EXPECT_EQ(security_level, att_attestation_security_level);
-
- char property_value[PROPERTY_VALUE_MAX] = {};
// TODO(b/136282179): When running under VTS-on-GSI the TEE-backed
// keymint implementation will report YYYYMM dates instead of YYYYMMDD
// for the BOOT_PATCH_LEVEL.
@@ -1612,54 +1685,7 @@
error = parse_root_of_trust(attest_rec->data, attest_rec->length, &verified_boot_key,
&verified_boot_state, &device_locked, &verified_boot_hash);
EXPECT_EQ(ErrorCode::OK, error);
-
- if (avb_verification_enabled()) {
- EXPECT_NE(property_get("ro.boot.vbmeta.digest", property_value, ""), 0);
- string prop_string(property_value);
- EXPECT_EQ(prop_string.size(), 64);
- EXPECT_EQ(prop_string, bin2hex(verified_boot_hash));
-
- EXPECT_NE(property_get("ro.boot.vbmeta.device_state", property_value, ""), 0);
- if (!strcmp(property_value, "unlocked")) {
- EXPECT_FALSE(device_locked);
- } else {
- EXPECT_TRUE(device_locked);
- }
-
- // Check that the device is locked if not debuggable, e.g., user build
- // images in CTS. For VTS, debuggable images are used to allow adb root
- // and the device is unlocked.
- if (!property_get_bool("ro.debuggable", false)) {
- EXPECT_TRUE(device_locked);
- } else {
- EXPECT_FALSE(device_locked);
- }
- }
-
- // Verified boot key should be all 0's if the boot state is not verified or self signed
- std::string empty_boot_key(32, '\0');
- std::string verified_boot_key_str((const char*)verified_boot_key.data(),
- verified_boot_key.size());
- EXPECT_NE(property_get("ro.boot.verifiedbootstate", property_value, ""), 0);
- if (!strcmp(property_value, "green")) {
- EXPECT_EQ(verified_boot_state, VerifiedBoot::VERIFIED);
- EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
- verified_boot_key.size()));
- } else if (!strcmp(property_value, "yellow")) {
- EXPECT_EQ(verified_boot_state, VerifiedBoot::SELF_SIGNED);
- EXPECT_NE(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
- verified_boot_key.size()));
- } else if (!strcmp(property_value, "orange")) {
- EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);
- EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
- verified_boot_key.size()));
- } else if (!strcmp(property_value, "red")) {
- EXPECT_EQ(verified_boot_state, VerifiedBoot::FAILED);
- } else {
- EXPECT_EQ(verified_boot_state, VerifiedBoot::UNVERIFIED);
- EXPECT_EQ(0, memcmp(verified_boot_key.data(), empty_boot_key.data(),
- verified_boot_key.size()));
- }
+ verify_root_of_trust(verified_boot_key, device_locked, verified_boot_state, verified_boot_hash);
att_sw_enforced.Sort();
expected_sw_enforced.Sort();
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
index 2634ab7..8f9df24 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
@@ -31,6 +31,7 @@
#include <aidl/android/hardware/security/keymint/IKeyMintDevice.h>
#include <aidl/android/hardware/security/keymint/MacedPublicKey.h>
+#include <keymint_support/attestation_record.h>
#include <keymint_support/authorization_set.h>
#include <keymint_support/openssl_utils.h>
@@ -354,6 +355,9 @@
}
}
+// Return the VSR API level for this device.
+int get_vsr_api_level();
+
// Indicate whether the test is running on a GSI image.
bool is_gsi_image();
@@ -363,7 +367,10 @@
void verify_subject_and_serial(const Certificate& certificate, //
const uint64_t expected_serial, //
const string& subject, bool self_signed);
-
+void verify_root_of_trust(const vector<uint8_t>& verified_boot_key, //
+ bool device_locked, //
+ VerifiedBoot verified_boot_state, //
+ const vector<uint8_t>& verified_boot_hash);
bool verify_attestation_record(int aidl_version, //
const string& challenge, //
const string& app_id, //
diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
index 3c2bece..4e746b2 100644
--- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp
@@ -7991,6 +7991,18 @@
INSTANTIATE_KEYMINT_AIDL_TEST(UnlockedDeviceRequiredTest);
+using VsrRequirementTest = KeyMintAidlTestBase;
+
+TEST_P(VsrRequirementTest, Vsr13Test) {
+ int vsr_api_level = get_vsr_api_level();
+ if (vsr_api_level < 33) {
+ GTEST_SKIP() << "Applies only to VSR API level 33, this device is: " << vsr_api_level;
+ }
+ EXPECT_GE(AidlVersion(), 2) << "VSR 13+ requires KeyMint version 2";
+}
+
+INSTANTIATE_KEYMINT_AIDL_TEST(VsrRequirementTest);
+
} // namespace aidl::android::hardware::security::keymint::test
int main(int argc, char** argv) {
diff --git a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
index e630f70..c9a156d 100644
--- a/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
+++ b/security/keymint/aidl/vts/functional/SecureElementProvisioningTest.cpp
@@ -36,6 +36,8 @@
using std::shared_ptr;
using std::vector;
+constexpr int kRoTVersion1 = 40001;
+
class SecureElementProvisioningTest : public testing::Test {
protected:
static void SetUpTestSuite() {
@@ -57,6 +59,83 @@
}
}
+ void validateMacedRootOfTrust(const vector<uint8_t>& rootOfTrust) {
+ SCOPED_TRACE(testing::Message() << "RoT: " << bin2hex(rootOfTrust));
+
+ const auto [macItem, macEndPos, macErrMsg] = cppbor::parse(rootOfTrust);
+ ASSERT_TRUE(macItem) << "Root of trust parsing failed: " << macErrMsg;
+ ASSERT_EQ(macItem->semanticTagCount(), 1);
+ ASSERT_EQ(macItem->semanticTag(0), cppcose::kCoseMac0SemanticTag);
+ ASSERT_TRUE(macItem->asArray());
+ ASSERT_EQ(macItem->asArray()->size(), cppcose::kCoseMac0EntryCount);
+
+ const auto& protectedItem = macItem->asArray()->get(cppcose::kCoseMac0ProtectedParams);
+ ASSERT_TRUE(protectedItem);
+ ASSERT_TRUE(protectedItem->asBstr());
+ const auto [protMap, protEndPos, protErrMsg] = cppbor::parse(protectedItem->asBstr());
+ ASSERT_TRUE(protMap);
+ ASSERT_TRUE(protMap->asMap());
+ ASSERT_EQ(protMap->asMap()->size(), 1);
+
+ const auto& algorithm = protMap->asMap()->get(cppcose::ALGORITHM);
+ ASSERT_TRUE(algorithm);
+ ASSERT_TRUE(algorithm->asInt());
+ ASSERT_EQ(algorithm->asInt()->value(), cppcose::HMAC_256);
+
+ const auto& unprotItem = macItem->asArray()->get(cppcose::kCoseMac0UnprotectedParams);
+ ASSERT_TRUE(unprotItem);
+ ASSERT_TRUE(unprotItem->asMap());
+ ASSERT_EQ(unprotItem->asMap()->size(), 0);
+
+ const auto& payload = macItem->asArray()->get(cppcose::kCoseMac0Payload);
+ ASSERT_TRUE(payload);
+ ASSERT_TRUE(payload->asBstr());
+ validateRootOfTrust(payload->asBstr()->value());
+
+ const auto& tag = macItem->asArray()->get(cppcose::kCoseMac0Tag);
+ ASSERT_TRUE(tag);
+ ASSERT_TRUE(tag->asBstr());
+ ASSERT_EQ(tag->asBstr()->value().size(), 32);
+ // Cannot validate tag correctness. Only the secure side has the necessary key.
+ }
+
+ void validateRootOfTrust(const vector<uint8_t>& payload) {
+ SCOPED_TRACE(testing::Message() << "RoT payload: " << bin2hex(payload));
+
+ const auto [rot, rotPos, rotErrMsg] = cppbor::parse(payload);
+ ASSERT_TRUE(rot);
+ ASSERT_EQ(rot->semanticTagCount(), 1);
+ ASSERT_EQ(rot->semanticTag(), kRoTVersion1);
+ ASSERT_TRUE(rot->asArray());
+ ASSERT_EQ(rot->asArray()->size(), 5);
+
+ size_t pos = 0;
+
+ const auto& vbKey = rot->asArray()->get(pos++);
+ ASSERT_TRUE(vbKey);
+ ASSERT_TRUE(vbKey->asBstr());
+
+ const auto& deviceLocked = rot->asArray()->get(pos++);
+ ASSERT_TRUE(deviceLocked);
+ ASSERT_TRUE(deviceLocked->asBool());
+
+ const auto& verifiedBootState = rot->asArray()->get(pos++);
+ ASSERT_TRUE(verifiedBootState);
+ ASSERT_TRUE(verifiedBootState->asInt());
+
+ const auto& verifiedBootHash = rot->asArray()->get(pos++);
+ ASSERT_TRUE(verifiedBootHash);
+ ASSERT_TRUE(verifiedBootHash->asBstr());
+
+ const auto& bootPatchLevel = rot->asArray()->get(pos++);
+ ASSERT_TRUE(bootPatchLevel);
+ ASSERT_TRUE(bootPatchLevel->asInt());
+
+ verify_root_of_trust(vbKey->asBstr()->value(), deviceLocked->asBool()->value(),
+ static_cast<VerifiedBoot>(verifiedBootState->asInt()->value()),
+ verifiedBootHash->asBstr()->value());
+ }
+
int32_t AidlVersion(shared_ptr<IKeyMintDevice> keymint) {
int32_t version = 0;
auto status = keymint->getInterfaceVersion(&version);
@@ -96,29 +175,19 @@
vector<uint8_t> rootOfTrust1;
Status result = tee->getRootOfTrust(challenge1, &rootOfTrust1);
-
- // TODO: Remove the next line to require TEEs to succeed.
- if (!result.isOk()) return;
-
- ASSERT_TRUE(result.isOk());
-
- // TODO: Parse and validate rootOfTrust1 here
+ ASSERT_TRUE(result.isOk()) << "getRootOfTrust returned " << result.getServiceSpecificError();
+ validateMacedRootOfTrust(rootOfTrust1);
vector<uint8_t> rootOfTrust2;
result = tee->getRootOfTrust(challenge2, &rootOfTrust2);
ASSERT_TRUE(result.isOk());
-
- // TODO: Parse and validate rootOfTrust2 here
-
+ validateMacedRootOfTrust(rootOfTrust2);
ASSERT_NE(rootOfTrust1, rootOfTrust2);
vector<uint8_t> rootOfTrust3;
result = tee->getRootOfTrust(challenge1, &rootOfTrust3);
ASSERT_TRUE(result.isOk());
-
ASSERT_EQ(rootOfTrust1, rootOfTrust3);
-
- // TODO: Parse and validate rootOfTrust3 here
}
TEST_F(SecureElementProvisioningTest, TeeDoesNotImplementStrongBoxMethods) {
@@ -252,7 +321,7 @@
result = tee->getRootOfTrust(challenge, &rootOfTrust);
ASSERT_TRUE(result.isOk());
- // TODO: Verify COSE_Mac0 structure and content here.
+ validateMacedRootOfTrust(rootOfTrust);
result = sb->sendRootOfTrust(rootOfTrust);
ASSERT_TRUE(result.isOk());
@@ -296,6 +365,8 @@
result = tee->getRootOfTrust(challenge, &rootOfTrust);
ASSERT_TRUE(result.isOk());
+ validateMacedRootOfTrust(rootOfTrust);
+
vector<uint8_t> corruptedRootOfTrust = rootOfTrust;
corruptedRootOfTrust[corruptedRootOfTrust.size() / 2]++;
result = sb->sendRootOfTrust(corruptedRootOfTrust);
