Allowing GSI patch level to be greater than vbmeta SPL

The GSI patch level might be greater than the vbmeta SPL, because GSI system.img might be updated via the DSU flow, where vbmeta.img won't be updated in this scenario. https://developer.android.com/topic/dsu Allowing GSI patch level to be greater than or equal to the vbmeta SPL, since Treble allows new system.img works on old vendor images. Bug: 145377203 Test: atest VtsHalKeymasterV4_0TargetTest Change-Id: Ib761d80c88695eb2db08b0dc00e30fcdc2788865 Merged-In: Ib761d80c88695eb2db08b0dc00e30fcdc2788865 (cherry picked from commit 63c0129fa6)
2020-03-13 14:54:37 +08:00 · 2020-03-13 14:54:37 +08:00 · 2c94e43016
commit 2c94e43016
parent 9ade092595
2 changed files with 36 additions and 7 deletions
--- a/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h
+++ b/keymaster/4.0/support/include/keymasterV4_0/authorization_set.h
@ -17,6 +17,7 @@
 #ifndef SYSTEM_SECURITY_KEYSTORE_KM4_AUTHORIZATION_SET_H_
 #define SYSTEM_SECURITY_KEYSTORE_KM4_AUTHORIZATION_SET_H_

+#include <functional>
 #include <vector>

 #include <keymasterV4_0/keymaster_tags.h>
@ -165,11 +166,12 @@ class AuthorizationSet {
     */
    bool Contains(Tag tag) const { return find(tag) != -1; }

-    template <TagType tag_type, Tag tag, typename ValueT>
-    bool Contains(TypedTag<tag_type, tag> ttag, const ValueT& value) const {
+    template <TagType tag_type, Tag tag, typename ValueT, typename Comparator = std::equal_to<>>
+    bool Contains(TypedTag<tag_type, tag> ttag, const ValueT& value,
+                  Comparator cmp = Comparator()) const {
        for (const auto& param : data_) {
            auto entry = authorizationValue(ttag, param);
-            if (entry.isOk() && static_cast<ValueT>(entry.value()) == value) return true;
+            if (entry.isOk() && cmp(static_cast<ValueT>(entry.value()), value)) return true;
        }
        return false;
    }
--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
+++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp
@ -17,9 +17,12 @@
 #define LOG_TAG "keymaster_hidl_hal_test"
 #include <cutils/log.h>

-#include <iostream>
 #include <signal.h>

+#include <functional>
+#include <iostream>
+#include <string>
+
 #include <openssl/evp.h>
 #include <openssl/mem.h>
 #include <openssl/x509.h>
@ -32,6 +35,8 @@

 #include "KeymasterHidlTest.h"

+using namespace std::string_literals;
+
 static bool arm_deleteAllKeys = false;
 static bool dump_Attestations = false;

@ -315,6 +320,12 @@ bool avb_verification_enabled() {
    return property_get("ro.boot.vbmeta.device_state", value, "") != 0;
 }

+bool is_gsi() {
+    char property_value[PROPERTY_VALUE_MAX] = {};
+    EXPECT_NE(property_get("ro.product.system.name", property_value, ""), 0);
+    return "mainline"s == property_value;
+}
+
 }  // namespace

 bool verify_attestation_record(const string& challenge, const string& app_id,
@ -512,9 +523,25 @@ class NewKeyGenerationTest : public KeymasterHidlTest {
        EXPECT_TRUE(auths.Contains(TAG_OS_VERSION, os_version()))
            << "OS version is " << os_version() << " key reported "
            << auths.GetTagValue(TAG_OS_VERSION);
-        EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL, os_patch_level()))
-            << "OS patch level is " << os_patch_level() << " key reported "
-            << auths.GetTagValue(TAG_OS_PATCHLEVEL);
+
+        if (is_gsi()) {
+            // In general, TAG_OS_PATCHLEVEL should be equal to os_patch_level()
+            // reported from the system.img in use. But it is allowed to boot a
+            // GSI system.img with newer patch level, which means TAG_OS_PATCHLEVEL
+            // might be less than or equal to os_patch_level() in this case.
+            EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL,  // vbmeta.img patch level
+                                       os_patch_level(),   // system.img patch level
+                                       std::less_equal<>()))
+                    << "OS patch level is " << os_patch_level()
+                    << ", which is less than key reported " << auths.GetTagValue(TAG_OS_PATCHLEVEL);
+        } else {
+            EXPECT_TRUE(auths.Contains(TAG_OS_PATCHLEVEL,  // vbmeta.img patch level
+                                       os_patch_level(),   // system.img patch level
+                                       std::equal_to<>()))
+                    << "OS patch level is " << os_patch_level()
+                    << ", which is not equal to key reported "
+                    << auths.GetTagValue(TAG_OS_PATCHLEVEL);
+        }
    }

    void CheckCharacteristics(const HidlBuf& key_blob,