tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Allow RKP-only devices to pass keymint VTS" into main

Browse source
This commit is contained in:
Seth Moore 2024-04-09 15:31:26 +00:00 committed by Gerrit Code Review
commit fae563acb0
7 changed files with 167 additions and 331 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

161
security/keymint/aidl/vts/functional/AttestKeyTest.cpp
View file

@ -20,6 +20,7 @@
#include <cutils/log.h>
#include <cutils/properties.h>
#include <keymint_support/authorization_set.h>
#include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h>
@ -93,7 +94,7 @@ string get_imei(int slot) {
class AttestKeyTest : public KeyMintAidlTestBase {
public:
void SetUp() override {
skipAttestKeyTest();
skipAttestKeyTestIfNeeded();
KeyMintAidlTestBase::SetUp();
}
};
@ -273,7 +274,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) {
/*
* AttestKeyTest.RsaAttestedAttestKeys
*
* This test creates an RSA attestation key signed by factory keys, and varifies it can be
* This test creates an RSA attestation key signed by factory keys, and verifies it can be
* used to sign other RSA and EC keys.
*/
TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
@ -305,9 +306,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
.SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
if (isRkpOnly() && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
GTEST_SKIP() << "RKP-only devices do not have a factory key";
}
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob);
@ -400,30 +400,32 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
attest_key_opt = attest_key;
}
auto result = GenerateAttestKey(AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(),
attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
AuthorizationSetBuilder auth_set_builder =
AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.AttestationApplicationId("bar")
.Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity();
// In RKP-only systems, the first key cannot be attested due to lack of batch key
if (!isRkpOnly() || i > 0) {
auth_set_builder.AttestationChallenge("foo");
}
auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
SecLevel(),
cert_chain_list[i][0].encodedCertificate));
if (!isRkpOnly() || i > 0) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
hw_enforced, SecLevel(),
cert_chain_list[i][0].encodedCertificate));
}
if (i > 0) {
/*
@ -439,7 +441,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
}
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
EXPECT_GT(cert_chain_list[i].size(), i + 1);
EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
}
}
@ -475,36 +477,34 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
attest_key_opt = attest_key;
}
auto result = GenerateAttestKey(AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
AuthorizationSetBuilder auth_set_builder =
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity();
// In RKP-only systems, the first key cannot be attested due to lack of batch key
if (!isRkpOnly() || i > 0) {
auth_set_builder.AttestationChallenge("foo");
}
auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
SecLevel(),
cert_chain_list[i][0].encodedCertificate));
if (!isRkpOnly() || i > 0) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
hw_enforced, SecLevel(),
cert_chain_list[i][0].encodedCertificate));
}
if (i > 0) {
/*
* The first key is attestated with factory chain, but all the rest of the keys are
* not supposed to be returned in attestation certificate chains.
*/
EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i]));
// Appending the attest_key chain to the attested_key_chain should yield a valid chain.
@ -514,7 +514,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
}
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
EXPECT_GT(cert_chain_list[i].size(), i + 1);
EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
}
}
@ -576,45 +576,36 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
attest_key.keyBlob = key_blob_list[i - 1];
attest_key_opt = attest_key;
}
ErrorCode result;
AuthorizationSetBuilder auth_set_builder =
AuthorizationSetBuilder()
.AttestKey()
.AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity();
// In RKP-only systems, the first key cannot be attested due to lack of batch key
if (!isRkpOnly() || i > 0) {
auth_set_builder.AttestationChallenge("foo");
}
if ((i & 0x1) == 1) {
result = GenerateAttestKey(AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
auth_set_builder.EcdsaKey(EcCurve::P_256);
} else {
result = GenerateAttestKey(AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
}
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
auth_set_builder.RsaKey(2048, 65537);
}
ErrorCode result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced,
SecLevel(),
cert_chain_list[i][0].encodedCertificate));
if (!isRkpOnly() || i > 0) {
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
hw_enforced, SecLevel(),
cert_chain_list[i][0].encodedCertificate));
}
if (i > 0) {
/*
@ -630,7 +621,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
}
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
EXPECT_GT(cert_chain_list[i].size(), i + 1);
EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
}
}

13
security/keymint/aidl/vts/functional/AuthTest.cpp
View file

@ -455,18 +455,7 @@ TEST_P(AuthTest, TimeoutAuthenticationMultiSid) {
.Authorization(TAG_AUTH_TIMEOUT, timeout_secs);
vector<uint8_t> keyblob;
vector<KeyCharacteristics> key_characteristics;
vector<Certificate> cert_chain;
auto result = GenerateKey(builder, std::nullopt, &keyblob, &key_characteristics, &cert_chain);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(),
builder, &keyblob, &key_characteristics,
&cert_chain);
}
}
auto result = GenerateKey(builder, &keyblob, &key_characteristics);
ASSERT_EQ(ErrorCode::OK, result);
// Verify first user to get a HAT that should work.

12
security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
View file

@ -54,18 +54,6 @@ class BootloaderStateTest : public KeyMintAidlTestBase {
.Digest(Digest::NONE)
.SetDefaultValidity();
auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics);
// If factory provisioned attestation key is not supported by Strongbox,
// then create a key with self-signed attestation and use it as the
// attestation key instead.
if (SecLevel() == SecurityLevel::STRONGBOX &&
result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
keyDesc, &key_blob, &key_characteristics);
}
ASSERT_EQ(ErrorCode::OK, result);
// Parse attested AVB values.

54
security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
View file

@ -73,20 +73,22 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
vector<KeyCharacteristics> key_characteristics;
// Check RSA implementation
auto result = GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(2048, 65537)
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.Authorization(TAG_INCLUDE_UNIQUE_ID)
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
.SetDefaultValidity()
.AttestationChallenge("challenge")
.AttestationApplicationId("foo")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
&key_blob, &key_characteristics);
auto result =
GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.RsaSigningKey(2048, 65537)
.Digest(Digest::SHA_2_256)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.Authorization(TAG_INCLUDE_UNIQUE_ID)
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
.SetDefaultValidity()
.AttestationChallenge("challenge")
.AttestationApplicationId("foo")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
/*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG);
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG)
<< "Result: " << result;
}
/*
@ -104,19 +106,21 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
vector<KeyCharacteristics> key_characteristics;
// Check Ecdsa implementation
auto result = GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_INCLUDE_UNIQUE_ID)
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
.SetDefaultValidity()
.AttestationChallenge("challenge")
.AttestationApplicationId("foo")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
&key_blob, &key_characteristics);
auto result =
GenerateKey(AuthorizationSetBuilder()
.Authorization(TAG_NO_AUTH_REQUIRED)
.EcdsaSigningKey(EcCurve::P_256)
.Digest(Digest::SHA_2_256)
.Authorization(TAG_INCLUDE_UNIQUE_ID)
.Authorization(TAG_CREATION_DATETIME, 1619621648000)
.SetDefaultValidity()
.AttestationChallenge("challenge")
.AttestationApplicationId("foo")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
/*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG);
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG)
<< "Result: " << result;
}
/*

77
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
View file

@ -20,6 +20,10 @@
#include <fstream>
#include <unordered_set>
#include <vector>
#include "aidl/android/hardware/security/keymint/AttestationKey.h"
#include "aidl/android/hardware/security/keymint/ErrorCode.h"
#include "keymint_support/authorization_set.h"
#include "keymint_support/keymint_tags.h"
#include <android-base/logging.h>
#include <android/binder_manager.h>
@ -245,6 +249,13 @@ bool KeyMintAidlTestBase::isSecondImeiIdAttestationRequired() {
return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__;
}
bool KeyMintAidlTestBase::isRkpOnly() {
if (SecLevel() == SecurityLevel::STRONGBOX) {
return property_get_bool("remote_provisioning.strongbox.rkp_only", false);
}
return property_get_bool("remote_provisioning.tee.rkp_only", false);
}
bool KeyMintAidlTestBase::Curve25519Supported() {
// Strongbox never supports curve 25519.
if (SecLevel() == SecurityLevel::STRONGBOX) {
@ -295,6 +306,40 @@ void KeyMintAidlTestBase::SetUp() {
}
}
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
}
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
std::optional<AttestationKey> attest_key = std::nullopt;
vector<Certificate> attest_cert_chain;
// If an attestation is requested, but the system is RKP-only, we need to supply an explicit
// attestation key. Else the result is a key without an attestation.
if (isRkpOnly() && key_desc.Contains(TAG_ATTESTATION_CHALLENGE)) {
skipAttestKeyTestIfNeeded();
AuthorizationSet attest_key_desc =
AuthorizationSetBuilder().EcdsaKey(EcCurve::P_256).AttestKey().SetDefaultValidity();
attest_key.emplace();
vector<KeyCharacteristics> attest_key_characteristics;
auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.value().keyBlob,
&attest_key_characteristics, &attest_cert_chain);
EXPECT_EQ(error, ErrorCode::OK);
EXPECT_EQ(attest_cert_chain.size(), 1);
attest_key.value().issuerSubjectName = make_name_from_str("Android Keystore Key");
}
ErrorCode error =
GenerateKey(key_desc, attest_key, key_blob, key_characteristics, &cert_chain_);
if (error == ErrorCode::OK && attest_cert_chain.size() > 0) {
cert_chain_.push_back(attest_cert_chain[0]);
}
return error;
}
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key,
vector<uint8_t>* key_blob,
@ -335,36 +380,6 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
return GetReturnErrorCode(result);
}
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key) {
return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
}
ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain) {
skipAttestKeyTest();
AttestationKey attest_key;
vector<Certificate> attest_cert_chain;
vector<KeyCharacteristics> attest_key_characteristics;
// Generate a key with self signed attestation.
auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
&attest_key_characteristics, &attest_cert_chain);
if (error != ErrorCode::OK) {
return error;
}
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
// Generate a key, by passing the above self signed attestation key as attest key.
error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
if (error == ErrorCode::OK) {
// Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
cert_chain->push_back(attest_cert_chain[0]);
}
return error;
}
ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
@ -1663,7 +1678,7 @@ bool KeyMintAidlTestBase::shouldSkipAttestKeyTest(void) const {
// Skip a test that involves use of the ATTEST_KEY feature in specific configurations
// where ATTEST_KEY is not supported (for either StrongBox or TEE).
void KeyMintAidlTestBase::skipAttestKeyTest(void) const {
void KeyMintAidlTestBase::skipAttestKeyTestIfNeeded() const {
if (shouldSkipAttestKeyTest()) {
GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device";
}

28
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
View file

@ -104,35 +104,19 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
uint32_t boot_patch_level();
bool isDeviceIdAttestationRequired();
bool isSecondImeiIdAttestationRequired();
bool isRkpOnly();
bool Curve25519Supported();
ErrorCode GenerateKey(const AuthorizationSet& key_desc);
ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
return GenerateKey(key_desc, std::nullopt /* attest_key */, key_blob, key_characteristics,
&cert_chain_);
}
vector<KeyCharacteristics>* key_characteristics);
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain);
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key = std::nullopt);
// Generate key for implementations which do not support factory attestation.
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain);
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
key_characteristics, &cert_chain_);
}
ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob,
@ -372,7 +356,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
bool is_strongbox_enabled(void) const;
bool is_chipset_allowed_km4_strongbox(void) const;
bool shouldSkipAttestKeyTest(void) const;
void skipAttestKeyTest(void) const;
void skipAttestKeyTestIfNeeded() const;
void assert_mgf_digests_present_or_not_in_key_characteristics(
const vector<KeyCharacteristics>& key_characteristics,

153
security/keymint/aidl/vts/functional/KeyMintTest.cpp
View file

@ -37,6 +37,7 @@
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <aidl/android/hardware/security/keymint/KeyFormat.h>
#include <keymint_support/authorization_set.h>
#include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h>
@ -1146,17 +1147,6 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@ -1369,17 +1359,6 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
@ -1490,17 +1469,6 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@ -1625,17 +1593,6 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
@ -1877,17 +1834,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(curve)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@ -2020,17 +1966,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
// Tag not required to be supported by all KeyMint implementations.
continue;
}
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(result, ErrorCode::OK);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@ -2082,18 +2017,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
builder.push_back(tag);
auto error = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
error = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
device_id_attestation_check_acceptable_error(tag.tag, error);
}
}
@ -2138,10 +2061,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
AuthorizationSetBuilder builder = base_builder;
builder.push_back(tag);
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
}
if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
// ID attestation was optional till api level 32, from api level 33 it is mandatory.
continue;
@ -2199,16 +2118,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
}
auto result = GenerateKey(builder);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob_, &key_characteristics_, &cert_chain_);
}
}
ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob_.size(), 0U);
@ -2309,17 +2218,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(result, ErrorCode::OK);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@ -2404,17 +2302,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
}
@ -2482,17 +2369,6 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
.SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@ -2718,7 +2594,8 @@ TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)
.Authorization(TAG_MIN_MAC_LENGTH, 128),
&key_blob, &key_characteristics));
/*attest_key=*/std::nullopt, &key_blob,
&key_characteristics, &cert_chain_));
KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U);
@ -2907,7 +2784,9 @@ TEST_P(NewKeyGenerationTest, AesNoAttestation) {
.EcbMode()
.Padding(PaddingMode::PKCS7)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)));
.AttestationApplicationId(app_id),
/*attest_key=*/std::nullopt, &key_blob_,
&key_characteristics_, &cert_chain_));
ASSERT_EQ(cert_chain_.size(), 0);
}
@ -2928,7 +2807,9 @@ TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
.Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::NONE)
.AttestationChallenge(challenge)
.AttestationApplicationId(app_id)));
.AttestationApplicationId(app_id),
/*attest_key=*/std::nullopt, &key_blob_,
&key_characteristics_, &cert_chain_));
ASSERT_EQ(cert_chain_.size(), 0);
}
@ -8510,17 +8391,6 @@ class KeyAgreementTest : public KeyMintAidlTestBase {
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
.SetDefaultValidity();
ErrorCode result = GenerateKey(builder);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob_, &key_characteristics_, &cert_chain_);
}
}
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
ASSERT_GT(cert_chain_.size(), 0);
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
@ -8811,11 +8681,6 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
// Strongbox may not support factory attestation. Key creation might fail with
// ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
continue;
}
ASSERT_GT(keyData.blob.size(), 0U);
AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;