From c5c52ce1d3446980e2a760d1fcc89e0c12ff083c Mon Sep 17 00:00:00 2001 From: Seth Moore Date: Sun, 7 Apr 2024 15:26:33 -0700 Subject: [PATCH] Allow RKP-only devices to pass keymint VTS Add test paths for HALs that are RKP-only so that they may pass tests. Fix up a few tests that were just being skipped for RKP-only HALs. Test: ran VTS against cuttlefish with no factory key Bug: 329409739 Change-Id: I5400874dd2f9885c061970a30ea44985353d23ed --- .../aidl/vts/functional/AttestKeyTest.cpp | 161 +++++++++--------- .../keymint/aidl/vts/functional/AuthTest.cpp | 13 +- .../vts/functional/BootloaderStateTest.cpp | 12 -- .../DeviceUniqueAttestationTest.cpp | 54 +++--- .../vts/functional/KeyMintAidlTestBase.cpp | 77 +++++---- .../aidl/vts/functional/KeyMintAidlTestBase.h | 28 +-- .../aidl/vts/functional/KeyMintTest.cpp | 153 +---------------- 7 files changed, 167 insertions(+), 331 deletions(-) diff --git a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp index cc97c13735..7fbca3601e 100644 --- a/security/keymint/aidl/vts/functional/AttestKeyTest.cpp +++ b/security/keymint/aidl/vts/functional/AttestKeyTest.cpp @@ -20,6 +20,7 @@ #include #include +#include #include #include @@ -93,7 +94,7 @@ string get_imei(int slot) { class AttestKeyTest : public KeyMintAidlTestBase { public: void SetUp() override { - skipAttestKeyTest(); + skipAttestKeyTestIfNeeded(); KeyMintAidlTestBase::SetUp(); } }; @@ -273,7 +274,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) { /* * AttestKeyTest.RsaAttestedAttestKeys * - * This test creates an RSA attestation key signed by factory keys, and varifies it can be + * This test creates an RSA attestation key signed by factory keys, and verifies it can be * used to sign other RSA and EC keys. */ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { @@ -305,9 +306,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { .SetDefaultValidity(), {} /* attestation signing key */, &attest_key.keyBlob, &attest_key_characteristics, &attest_key_cert_chain); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + if (isRkpOnly() && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { + GTEST_SKIP() << "RKP-only devices do not have a factory key"; } ASSERT_EQ(ErrorCode::OK, result); KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob); @@ -400,30 +400,32 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { attest_key_opt = attest_key; } - auto result = GenerateAttestKey(AuthorizationSetBuilder() - .RsaKey(2048, 65537) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_NO_AUTH_REQUIRED) - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], - &attested_key_characteristics, &cert_chain_list[i]); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + AuthorizationSetBuilder auth_set_builder = + AuthorizationSetBuilder() + .RsaKey(2048, 65537) + .AttestKey() + .AttestationApplicationId("bar") + .Authorization(TAG_NO_AUTH_REQUIRED) + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .SetDefaultValidity(); + // In RKP-only systems, the first key cannot be attested due to lack of batch key + if (!isRkpOnly() || i > 0) { + auth_set_builder.AttestationChallenge("foo"); } + auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); - AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); - AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); - ASSERT_GT(cert_chain_list[i].size(), 0); - ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, - SecLevel(), - cert_chain_list[i][0].encodedCertificate)); + if (!isRkpOnly() || i > 0) { + AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); + AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); + ASSERT_GT(cert_chain_list[i].size(), 0); + ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, + hw_enforced, SecLevel(), + cert_chain_list[i][0].encodedCertificate)); + } if (i > 0) { /* @@ -439,7 +441,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); - EXPECT_GT(cert_chain_list[i].size(), i + 1); + EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } @@ -475,36 +477,34 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { attest_key_opt = attest_key; } - auto result = GenerateAttestKey(AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], - &attested_key_characteristics, &cert_chain_list[i]); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + AuthorizationSetBuilder auth_set_builder = + AuthorizationSetBuilder() + .EcdsaKey(EcCurve::P_256) + .AttestKey() + .AttestationApplicationId("bar") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(); + // In RKP-only systems, the first key cannot be attested due to lack of batch key + if (!isRkpOnly() || i > 0) { + auth_set_builder.AttestationChallenge("foo"); } + auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); - AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); - AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); - ASSERT_GT(cert_chain_list[i].size(), 0); - ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, - SecLevel(), - cert_chain_list[i][0].encodedCertificate)); + if (!isRkpOnly() || i > 0) { + AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); + AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); + ASSERT_GT(cert_chain_list[i].size(), 0); + ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, + hw_enforced, SecLevel(), + cert_chain_list[i][0].encodedCertificate)); + } if (i > 0) { - /* - * The first key is attestated with factory chain, but all the rest of the keys are - * not supposed to be returned in attestation certificate chains. - */ EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i])); // Appending the attest_key chain to the attested_key_chain should yield a valid chain. @@ -514,7 +514,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); - EXPECT_GT(cert_chain_list[i].size(), i + 1); + EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } @@ -576,45 +576,36 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { attest_key.keyBlob = key_blob_list[i - 1]; attest_key_opt = attest_key; } - ErrorCode result; + AuthorizationSetBuilder auth_set_builder = + AuthorizationSetBuilder() + .AttestKey() + .AttestationApplicationId("bar") + .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) + .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) + .Authorization(TAG_NO_AUTH_REQUIRED) + .SetDefaultValidity(); + // In RKP-only systems, the first key cannot be attested due to lack of batch key + if (!isRkpOnly() || i > 0) { + auth_set_builder.AttestationChallenge("foo"); + } if ((i & 0x1) == 1) { - result = GenerateAttestKey(AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], - &attested_key_characteristics, &cert_chain_list[i]); + auth_set_builder.EcdsaKey(EcCurve::P_256); } else { - result = GenerateAttestKey(AuthorizationSetBuilder() - .RsaKey(2048, 65537) - .AttestKey() - .AttestationChallenge("foo") - .AttestationApplicationId("bar") - .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) - .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) - .Authorization(TAG_NO_AUTH_REQUIRED) - .SetDefaultValidity(), - attest_key_opt, &key_blob_list[i], - &attested_key_characteristics, &cert_chain_list[i]); - } - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; + auth_set_builder.RsaKey(2048, 65537); } + ErrorCode result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i], + &attested_key_characteristics, &cert_chain_list[i]); ASSERT_EQ(ErrorCode::OK, result); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); - AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); - AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); - ASSERT_GT(cert_chain_list[i].size(), 0); - ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, - SecLevel(), - cert_chain_list[i][0].encodedCertificate)); + if (!isRkpOnly() || i > 0) { + AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); + AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); + ASSERT_GT(cert_chain_list[i].size(), 0); + ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, + hw_enforced, SecLevel(), + cert_chain_list[i][0].encodedCertificate)); + } if (i > 0) { /* @@ -630,7 +621,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) { } EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); - EXPECT_GT(cert_chain_list[i].size(), i + 1); + EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1)); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); } } diff --git a/security/keymint/aidl/vts/functional/AuthTest.cpp b/security/keymint/aidl/vts/functional/AuthTest.cpp index eb5db68a5c..f435513221 100644 --- a/security/keymint/aidl/vts/functional/AuthTest.cpp +++ b/security/keymint/aidl/vts/functional/AuthTest.cpp @@ -455,18 +455,7 @@ TEST_P(AuthTest, TimeoutAuthenticationMultiSid) { .Authorization(TAG_AUTH_TIMEOUT, timeout_secs); vector keyblob; vector key_characteristics; - vector cert_chain; - auto result = GenerateKey(builder, std::nullopt, &keyblob, &key_characteristics, &cert_chain); - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey(AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), - builder, &keyblob, &key_characteristics, - &cert_chain); - } - } + auto result = GenerateKey(builder, &keyblob, &key_characteristics); ASSERT_EQ(ErrorCode::OK, result); // Verify first user to get a HAT that should work. diff --git a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp index 808ed18eca..c1f6aeeaf1 100644 --- a/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp +++ b/security/keymint/aidl/vts/functional/BootloaderStateTest.cpp @@ -54,18 +54,6 @@ class BootloaderStateTest : public KeyMintAidlTestBase { .Digest(Digest::NONE) .SetDefaultValidity(); auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics); - // If factory provisioned attestation key is not supported by Strongbox, - // then create a key with self-signed attestation and use it as the - // attestation key instead. - if (SecLevel() == SecurityLevel::STRONGBOX && - result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - keyDesc, &key_blob, &key_characteristics); - } ASSERT_EQ(ErrorCode::OK, result); // Parse attested AVB values. diff --git a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp index 8e9adedf5c..f669110699 100644 --- a/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp +++ b/security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp @@ -73,20 +73,22 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) { vector key_characteristics; // Check RSA implementation - auto result = GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .RsaSigningKey(2048, 65537) - .Digest(Digest::SHA_2_256) - .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN) - .Authorization(TAG_INCLUDE_UNIQUE_ID) - .Authorization(TAG_CREATION_DATETIME, 1619621648000) - .SetDefaultValidity() - .AttestationChallenge("challenge") - .AttestationApplicationId("foo") - .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), - &key_blob, &key_characteristics); + auto result = + GenerateKey(AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .RsaSigningKey(2048, 65537) + .Digest(Digest::SHA_2_256) + .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN) + .Authorization(TAG_INCLUDE_UNIQUE_ID) + .Authorization(TAG_CREATION_DATETIME, 1619621648000) + .SetDefaultValidity() + .AttestationChallenge("challenge") + .AttestationApplicationId("foo") + .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), + /*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_); - ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG); + ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG) + << "Result: " << result; } /* @@ -104,19 +106,21 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) { vector key_characteristics; // Check Ecdsa implementation - auto result = GenerateKey(AuthorizationSetBuilder() - .Authorization(TAG_NO_AUTH_REQUIRED) - .EcdsaSigningKey(EcCurve::P_256) - .Digest(Digest::SHA_2_256) - .Authorization(TAG_INCLUDE_UNIQUE_ID) - .Authorization(TAG_CREATION_DATETIME, 1619621648000) - .SetDefaultValidity() - .AttestationChallenge("challenge") - .AttestationApplicationId("foo") - .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), - &key_blob, &key_characteristics); + auto result = + GenerateKey(AuthorizationSetBuilder() + .Authorization(TAG_NO_AUTH_REQUIRED) + .EcdsaSigningKey(EcCurve::P_256) + .Digest(Digest::SHA_2_256) + .Authorization(TAG_INCLUDE_UNIQUE_ID) + .Authorization(TAG_CREATION_DATETIME, 1619621648000) + .SetDefaultValidity() + .AttestationChallenge("challenge") + .AttestationApplicationId("foo") + .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), + /*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_); - ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG); + ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG) + << "Result: " << result; } /* diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp index c121d310c6..332fcd492a 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp @@ -20,6 +20,10 @@ #include #include #include +#include "aidl/android/hardware/security/keymint/AttestationKey.h" +#include "aidl/android/hardware/security/keymint/ErrorCode.h" +#include "keymint_support/authorization_set.h" +#include "keymint_support/keymint_tags.h" #include #include @@ -245,6 +249,13 @@ bool KeyMintAidlTestBase::isSecondImeiIdAttestationRequired() { return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__; } +bool KeyMintAidlTestBase::isRkpOnly() { + if (SecLevel() == SecurityLevel::STRONGBOX) { + return property_get_bool("remote_provisioning.strongbox.rkp_only", false); + } + return property_get_bool("remote_provisioning.tee.rkp_only", false); +} + bool KeyMintAidlTestBase::Curve25519Supported() { // Strongbox never supports curve 25519. if (SecLevel() == SecurityLevel::STRONGBOX) { @@ -295,6 +306,40 @@ void KeyMintAidlTestBase::SetUp() { } } +ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) { + return GenerateKey(key_desc, &key_blob_, &key_characteristics_); +} + +ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc, + vector* key_blob, + vector* key_characteristics) { + std::optional attest_key = std::nullopt; + vector attest_cert_chain; + // If an attestation is requested, but the system is RKP-only, we need to supply an explicit + // attestation key. Else the result is a key without an attestation. + if (isRkpOnly() && key_desc.Contains(TAG_ATTESTATION_CHALLENGE)) { + skipAttestKeyTestIfNeeded(); + AuthorizationSet attest_key_desc = + AuthorizationSetBuilder().EcdsaKey(EcCurve::P_256).AttestKey().SetDefaultValidity(); + attest_key.emplace(); + vector attest_key_characteristics; + auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.value().keyBlob, + &attest_key_characteristics, &attest_cert_chain); + EXPECT_EQ(error, ErrorCode::OK); + EXPECT_EQ(attest_cert_chain.size(), 1); + attest_key.value().issuerSubjectName = make_name_from_str("Android Keystore Key"); + } + + ErrorCode error = + GenerateKey(key_desc, attest_key, key_blob, key_characteristics, &cert_chain_); + + if (error == ErrorCode::OK && attest_cert_chain.size() > 0) { + cert_chain_.push_back(attest_cert_chain[0]); + } + + return error; +} + ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc, const optional& attest_key, vector* key_blob, @@ -335,36 +380,6 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc, return GetReturnErrorCode(result); } -ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc, - const optional& attest_key) { - return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_); -} - -ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey( - const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc, - vector* key_blob, vector* key_characteristics, - vector* cert_chain) { - skipAttestKeyTest(); - AttestationKey attest_key; - vector attest_cert_chain; - vector attest_key_characteristics; - // Generate a key with self signed attestation. - auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.keyBlob, - &attest_key_characteristics, &attest_cert_chain); - if (error != ErrorCode::OK) { - return error; - } - - attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key"); - // Generate a key, by passing the above self signed attestation key as attest key. - error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain); - if (error == ErrorCode::OK) { - // Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain. - cert_chain->push_back(attest_cert_chain[0]); - } - return error; -} - ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material, vector* key_blob, vector* key_characteristics) { @@ -1663,7 +1678,7 @@ bool KeyMintAidlTestBase::shouldSkipAttestKeyTest(void) const { // Skip a test that involves use of the ATTEST_KEY feature in specific configurations // where ATTEST_KEY is not supported (for either StrongBox or TEE). -void KeyMintAidlTestBase::skipAttestKeyTest(void) const { +void KeyMintAidlTestBase::skipAttestKeyTestIfNeeded() const { if (shouldSkipAttestKeyTest()) { GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device"; } diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h index 4ed769878a..b884cc7b6f 100644 --- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h +++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h @@ -104,35 +104,19 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam { uint32_t boot_patch_level(); bool isDeviceIdAttestationRequired(); bool isSecondImeiIdAttestationRequired(); + bool isRkpOnly(); bool Curve25519Supported(); + ErrorCode GenerateKey(const AuthorizationSet& key_desc); + ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector* key_blob, - vector* key_characteristics) { - return GenerateKey(key_desc, std::nullopt /* attest_key */, key_blob, key_characteristics, - &cert_chain_); - } + vector* key_characteristics); + ErrorCode GenerateKey(const AuthorizationSet& key_desc, const optional& attest_key, vector* key_blob, vector* key_characteristics, vector* cert_chain); - ErrorCode GenerateKey(const AuthorizationSet& key_desc, - const optional& attest_key = std::nullopt); - - // Generate key for implementations which do not support factory attestation. - ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc, - const AuthorizationSet& key_desc, - vector* key_blob, - vector* key_characteristics, - vector* cert_chain); - - ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc, - const AuthorizationSet& key_desc, - vector* key_blob, - vector* key_characteristics) { - return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob, - key_characteristics, &cert_chain_); - } ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format, const string& key_material, vector* key_blob, @@ -372,7 +356,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam { bool is_strongbox_enabled(void) const; bool is_chipset_allowed_km4_strongbox(void) const; bool shouldSkipAttestKeyTest(void) const; - void skipAttestKeyTest(void) const; + void skipAttestKeyTestIfNeeded() const; void assert_mgf_digests_present_or_not_in_key_characteristics( const vector& key_characteristics, diff --git a/security/keymint/aidl/vts/functional/KeyMintTest.cpp b/security/keymint/aidl/vts/functional/KeyMintTest.cpp index 3bcdd8f7dc..b65218fba9 100644 --- a/security/keymint/aidl/vts/functional/KeyMintTest.cpp +++ b/security/keymint/aidl/vts/functional/KeyMintTest.cpp @@ -37,6 +37,7 @@ #include #include +#include #include #include @@ -1146,17 +1147,6 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) { .SetDefaultValidity(); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .RsaKey(key_size, 65537) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(ErrorCode::OK, result); KeyBlobDeleter deleter(keymint_, key_blob); ASSERT_GT(key_blob.size(), 0U); @@ -1369,17 +1359,6 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) { .SetDefaultValidity(); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .RsaKey(key_size, 65537) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(ErrorCode::OK, result); KeyBlobDeleter deleter(keymint_, key_blob); @@ -1490,17 +1469,6 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) { .SetDefaultValidity(); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .RsaKey(2048, 65537) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } @@ -1625,17 +1593,6 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) { .SetDefaultValidity(); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .RsaKey(key_size, 65537) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(ErrorCode::OK, result); KeyBlobDeleter deleter(keymint_, key_blob); @@ -1877,17 +1834,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) { .SetDefaultValidity(); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(curve) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(ErrorCode::OK, result); KeyBlobDeleter deleter(keymint_, key_blob); ASSERT_GT(key_blob.size(), 0U); @@ -2020,17 +1966,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) { // Tag not required to be supported by all KeyMint implementations. continue; } - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(result, ErrorCode::OK); KeyBlobDeleter deleter(keymint_, key_blob); ASSERT_GT(key_blob.size(), 0U); @@ -2082,18 +2017,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) { builder.push_back(tag); auto error = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - error = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } - device_id_attestation_check_acceptable_error(tag.tag, error); } } @@ -2138,10 +2061,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) { AuthorizationSetBuilder builder = base_builder; builder.push_back(tag); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return; - } if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) { // ID attestation was optional till api level 32, from api level 33 it is mandatory. continue; @@ -2199,16 +2118,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) { builder.Authorization(TAG_RESET_SINCE_ID_ROTATION); } auto result = GenerateKey(builder); - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob_, &key_characteristics_, &cert_chain_); - } - } ASSERT_EQ(ErrorCode::OK, result); ASSERT_GT(key_blob_.size(), 0U); @@ -2309,17 +2218,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) { .SetDefaultValidity(); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(result, ErrorCode::OK); KeyBlobDeleter deleter(keymint_, key_blob); ASSERT_GT(key_blob.size(), 0U); @@ -2404,17 +2302,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) { .SetDefaultValidity(); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); } @@ -2482,17 +2369,6 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) { .SetDefaultValidity(); auto result = GenerateKey(builder, &key_blob, &key_characteristics); - // Strongbox may not support factory provisioned attestation key. - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob, &key_characteristics); - } - } ASSERT_EQ(ErrorCode::OK, result); KeyBlobDeleter deleter(keymint_, key_blob); ASSERT_GT(key_blob.size(), 0U); @@ -2718,7 +2594,8 @@ TEST_P(NewKeyGenerationTest, HmacNoAttestation) { .AttestationChallenge(challenge) .AttestationApplicationId(app_id) .Authorization(TAG_MIN_MAC_LENGTH, 128), - &key_blob, &key_characteristics)); + /*attest_key=*/std::nullopt, &key_blob, + &key_characteristics, &cert_chain_)); KeyBlobDeleter deleter(keymint_, key_blob); ASSERT_GT(key_blob.size(), 0U); @@ -2907,7 +2784,9 @@ TEST_P(NewKeyGenerationTest, AesNoAttestation) { .EcbMode() .Padding(PaddingMode::PKCS7) .AttestationChallenge(challenge) - .AttestationApplicationId(app_id))); + .AttestationApplicationId(app_id), + /*attest_key=*/std::nullopt, &key_blob_, + &key_characteristics_, &cert_chain_)); ASSERT_EQ(cert_chain_.size(), 0); } @@ -2928,7 +2807,9 @@ TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) { .Authorization(TAG_NO_AUTH_REQUIRED) .Padding(PaddingMode::NONE) .AttestationChallenge(challenge) - .AttestationApplicationId(app_id))); + .AttestationApplicationId(app_id), + /*attest_key=*/std::nullopt, &key_blob_, + &key_characteristics_, &cert_chain_)); ASSERT_EQ(cert_chain_.size(), 0); } @@ -8510,17 +8391,6 @@ class KeyAgreementTest : public KeyMintAidlTestBase { .Authorization(TAG_ATTESTATION_CHALLENGE, challenge) .SetDefaultValidity(); ErrorCode result = GenerateKey(builder); - - if (SecLevel() == SecurityLevel::STRONGBOX) { - if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) { - result = GenerateKeyWithSelfSignedAttestKey( - AuthorizationSetBuilder() - .EcdsaKey(EcCurve::P_256) - .AttestKey() - .SetDefaultValidity(), /* attest key params */ - builder, &key_blob_, &key_characteristics_, &cert_chain_); - } - } ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key"; ASSERT_GT(cert_chain_.size(), 0); X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate)); @@ -8811,11 +8681,6 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) { KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob); for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) { - // Strongbox may not support factory attestation. Key creation might fail with - // ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED - if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) { - continue; - } ASSERT_GT(keyData.blob.size(), 0U); AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics); EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;