tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Allow RKP-only devices to pass keymint VTS" into main

Browse source
This commit is contained in:
Seth Moore 2024-04-09 15:31:26 +00:00 committed by Gerrit Code Review
commit fae563acb0
7 changed files with 167 additions and 331 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

161
security/keymint/aidl/vts/functional/AttestKeyTest.cpp
View file

@ -20,6 +20,7 @@
#include <cutils/log.h> #include <cutils/log.h>
#include <cutils/properties.h> #include <cutils/properties.h>
#include <keymint_support/authorization_set.h>
#include <keymint_support/key_param_output.h> #include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h> #include <keymint_support/openssl_utils.h>
@ -93,7 +94,7 @@ string get_imei(int slot) {
class AttestKeyTest : public KeyMintAidlTestBase { class AttestKeyTest : public KeyMintAidlTestBase {
public: public:
void SetUp() override { void SetUp() override {
skipAttestKeyTest(); skipAttestKeyTestIfNeeded();
KeyMintAidlTestBase::SetUp(); KeyMintAidlTestBase::SetUp();
} }
}; };
@ -273,7 +274,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyMultiPurposeFail) {
/* /*
* AttestKeyTest.RsaAttestedAttestKeys * AttestKeyTest.RsaAttestedAttestKeys
* *
* This test creates an RSA attestation key signed by factory keys, and varifies it can be * This test creates an RSA attestation key signed by factory keys, and verifies it can be
* used to sign other RSA and EC keys. * used to sign other RSA and EC keys.
*/ */
TEST_P(AttestKeyTest, RsaAttestedAttestKeys) { TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
@ -305,9 +306,8 @@ TEST_P(AttestKeyTest, RsaAttestedAttestKeys) {
.SetDefaultValidity(), .SetDefaultValidity(),
{} /* attestation signing key */, &attest_key.keyBlob, {} /* attestation signing key */, &attest_key.keyBlob,
&attest_key_characteristics, &attest_key_cert_chain); &attest_key_characteristics, &attest_key_cert_chain);
// Strongbox may not support factory provisioned attestation key. if (isRkpOnly() && result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
if (SecLevel() == SecurityLevel::STRONGBOX) { GTEST_SKIP() << "RKP-only devices do not have a factory key";
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
} }
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob); KeyBlobDeleter attest_deleter(keymint_, attest_key.keyBlob);
@ -400,30 +400,32 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
attest_key_opt = attest_key; attest_key_opt = attest_key;
} }
auto result = GenerateAttestKey(AuthorizationSetBuilder() AuthorizationSetBuilder auth_set_builder =
.RsaKey(2048, 65537) AuthorizationSetBuilder()
.AttestKey() .RsaKey(2048, 65537)
.AttestationChallenge("foo") .AttestKey()
.AttestationApplicationId("bar") .AttestationApplicationId("bar")
.Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_NO_AUTH_REQUIRED)
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.SetDefaultValidity(), .SetDefaultValidity();
attest_key_opt, &key_blob_list[i], // In RKP-only systems, the first key cannot be attested due to lack of batch key
&attested_key_characteristics, &cert_chain_list[i]); if (!isRkpOnly() || i > 0) {
// Strongbox may not support factory provisioned attestation key. auth_set_builder.AttestationChallenge("foo");
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
} }
auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); if (!isRkpOnly() || i > 0) {
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, ASSERT_GT(cert_chain_list[i].size(), 0);
SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
cert_chain_list[i][0].encodedCertificate)); hw_enforced, SecLevel(),
cert_chain_list[i][0].encodedCertificate));
}
if (i > 0) { if (i > 0) {
/* /*
@ -439,7 +441,7 @@ TEST_P(AttestKeyTest, RsaAttestKeyChaining) {
} }
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
} }
} }
@ -475,36 +477,34 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
attest_key_opt = attest_key; attest_key_opt = attest_key;
} }
auto result = GenerateAttestKey(AuthorizationSetBuilder() AuthorizationSetBuilder auth_set_builder =
.EcdsaKey(EcCurve::P_256) AuthorizationSetBuilder()
.AttestKey() .EcdsaKey(EcCurve::P_256)
.AttestationChallenge("foo") .AttestKey()
.AttestationApplicationId("bar") .AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob) .Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der) .Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(), .SetDefaultValidity();
attest_key_opt, &key_blob_list[i], // In RKP-only systems, the first key cannot be attested due to lack of batch key
&attested_key_characteristics, &cert_chain_list[i]); if (!isRkpOnly() || i > 0) {
// Strongbox may not support factory provisioned attestation key. auth_set_builder.AttestationChallenge("foo");
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
} }
auto result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); if (!isRkpOnly() || i > 0) {
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, ASSERT_GT(cert_chain_list[i].size(), 0);
SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
cert_chain_list[i][0].encodedCertificate)); hw_enforced, SecLevel(),
cert_chain_list[i][0].encodedCertificate));
}
if (i > 0) { if (i > 0) {
/*
* The first key is attestated with factory chain, but all the rest of the keys are
* not supposed to be returned in attestation certificate chains.
*/
EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_FALSE(ChainSignaturesAreValid(cert_chain_list[i]));
// Appending the attest_key chain to the attested_key_chain should yield a valid chain. // Appending the attest_key chain to the attested_key_chain should yield a valid chain.
@ -514,7 +514,7 @@ TEST_P(AttestKeyTest, EcAttestKeyChaining) {
} }
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
} }
} }
@ -576,45 +576,36 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
attest_key.keyBlob = key_blob_list[i - 1]; attest_key.keyBlob = key_blob_list[i - 1];
attest_key_opt = attest_key; attest_key_opt = attest_key;
} }
ErrorCode result; AuthorizationSetBuilder auth_set_builder =
AuthorizationSetBuilder()
.AttestKey()
.AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity();
// In RKP-only systems, the first key cannot be attested due to lack of batch key
if (!isRkpOnly() || i > 0) {
auth_set_builder.AttestationChallenge("foo");
}
if ((i & 0x1) == 1) { if ((i & 0x1) == 1) {
result = GenerateAttestKey(AuthorizationSetBuilder() auth_set_builder.EcdsaKey(EcCurve::P_256);
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
} else { } else {
result = GenerateAttestKey(AuthorizationSetBuilder() auth_set_builder.RsaKey(2048, 65537);
.RsaKey(2048, 65537)
.AttestKey()
.AttestationChallenge("foo")
.AttestationApplicationId("bar")
.Authorization(TAG_CERTIFICATE_SERIAL, serial_blob)
.Authorization(TAG_CERTIFICATE_SUBJECT, subject_der)
.Authorization(TAG_NO_AUTH_REQUIRED)
.SetDefaultValidity(),
attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
}
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
} }
ErrorCode result = GenerateAttestKey(auth_set_builder, attest_key_opt, &key_blob_list[i],
&attested_key_characteristics, &cert_chain_list[i]);
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i])); deleters.push_back(KeyBlobDeleter(keymint_, key_blob_list[i]));
AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics); if (!isRkpOnly() || i > 0) {
AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics); AuthorizationSet hw_enforced = HwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_GT(cert_chain_list[i].size(), 0); AuthorizationSet sw_enforced = SwEnforcedAuthorizations(attested_key_characteristics);
ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced, hw_enforced, ASSERT_GT(cert_chain_list[i].size(), 0);
SecLevel(), ASSERT_TRUE(verify_attestation_record(AidlVersion(), "foo", "bar", sw_enforced,
cert_chain_list[i][0].encodedCertificate)); hw_enforced, SecLevel(),
cert_chain_list[i][0].encodedCertificate));
}
if (i > 0) { if (i > 0) {
/* /*
@ -630,7 +621,7 @@ TEST_P(AttestKeyTest, AlternateAttestKeyChaining) {
} }
EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i])); EXPECT_TRUE(ChainSignaturesAreValid(cert_chain_list[i]));
EXPECT_GT(cert_chain_list[i].size(), i + 1); EXPECT_GT(cert_chain_list[i].size(), i + (isRkpOnly() ? 0 : 1));
verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false); verify_subject_and_serial(cert_chain_list[i][0], serial_int, subject, false);
} }
} }

13
security/keymint/aidl/vts/functional/AuthTest.cpp
View file

@ -455,18 +455,7 @@ TEST_P(AuthTest, TimeoutAuthenticationMultiSid) {
.Authorization(TAG_AUTH_TIMEOUT, timeout_secs); .Authorization(TAG_AUTH_TIMEOUT, timeout_secs);
vector<uint8_t> keyblob; vector<uint8_t> keyblob;
vector<KeyCharacteristics> key_characteristics; vector<KeyCharacteristics> key_characteristics;
vector<Certificate> cert_chain; auto result = GenerateKey(builder, &keyblob, &key_characteristics);
auto result = GenerateKey(builder, std::nullopt, &keyblob, &key_characteristics, &cert_chain);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(),
builder, &keyblob, &key_characteristics,
&cert_chain);
}
}
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
// Verify first user to get a HAT that should work. // Verify first user to get a HAT that should work.

12
security/keymint/aidl/vts/functional/BootloaderStateTest.cpp
View file

@ -54,18 +54,6 @@ class BootloaderStateTest : public KeyMintAidlTestBase {
.Digest(Digest::NONE) .Digest(Digest::NONE)
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics); auto result = GenerateKey(keyDesc, &key_blob, &key_characteristics);
// If factory provisioned attestation key is not supported by Strongbox,
// then create a key with self-signed attestation and use it as the
// attestation key instead.
if (SecLevel() == SecurityLevel::STRONGBOX &&
result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
keyDesc, &key_blob, &key_characteristics);
}
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
// Parse attested AVB values. // Parse attested AVB values.

54
security/keymint/aidl/vts/functional/DeviceUniqueAttestationTest.cpp
View file

@ -73,20 +73,22 @@ TEST_P(DeviceUniqueAttestationTest, RsaNonStrongBoxUnimplemented) {
vector<KeyCharacteristics> key_characteristics; vector<KeyCharacteristics> key_characteristics;
// Check RSA implementation // Check RSA implementation
auto result = GenerateKey(AuthorizationSetBuilder() auto result =
.Authorization(TAG_NO_AUTH_REQUIRED) GenerateKey(AuthorizationSetBuilder()
.RsaSigningKey(2048, 65537) .Authorization(TAG_NO_AUTH_REQUIRED)
.Digest(Digest::SHA_2_256) .RsaSigningKey(2048, 65537)
.Padding(PaddingMode::RSA_PKCS1_1_5_SIGN) .Digest(Digest::SHA_2_256)
.Authorization(TAG_INCLUDE_UNIQUE_ID) .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
.Authorization(TAG_CREATION_DATETIME, 1619621648000) .Authorization(TAG_INCLUDE_UNIQUE_ID)
.SetDefaultValidity() .Authorization(TAG_CREATION_DATETIME, 1619621648000)
.AttestationChallenge("challenge") .SetDefaultValidity()
.AttestationApplicationId("foo") .AttestationChallenge("challenge")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), .AttestationApplicationId("foo")
&key_blob, &key_characteristics); .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
/*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG); ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG)
<< "Result: " << result;
} }
/* /*
@ -104,19 +106,21 @@ TEST_P(DeviceUniqueAttestationTest, EcdsaNonStrongBoxUnimplemented) {
vector<KeyCharacteristics> key_characteristics; vector<KeyCharacteristics> key_characteristics;
// Check Ecdsa implementation // Check Ecdsa implementation
auto result = GenerateKey(AuthorizationSetBuilder() auto result =
.Authorization(TAG_NO_AUTH_REQUIRED) GenerateKey(AuthorizationSetBuilder()
.EcdsaSigningKey(EcCurve::P_256) .Authorization(TAG_NO_AUTH_REQUIRED)
.Digest(Digest::SHA_2_256) .EcdsaSigningKey(EcCurve::P_256)
.Authorization(TAG_INCLUDE_UNIQUE_ID) .Digest(Digest::SHA_2_256)
.Authorization(TAG_CREATION_DATETIME, 1619621648000) .Authorization(TAG_INCLUDE_UNIQUE_ID)
.SetDefaultValidity() .Authorization(TAG_CREATION_DATETIME, 1619621648000)
.AttestationChallenge("challenge") .SetDefaultValidity()
.AttestationApplicationId("foo") .AttestationChallenge("challenge")
.Authorization(TAG_DEVICE_UNIQUE_ATTESTATION), .AttestationApplicationId("foo")
&key_blob, &key_characteristics); .Authorization(TAG_DEVICE_UNIQUE_ATTESTATION),
/*attest_key=*/std::nullopt, &key_blob, &key_characteristics, &cert_chain_);
ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG); ASSERT_TRUE(result == ErrorCode::INVALID_ARGUMENT || result == ErrorCode::UNSUPPORTED_TAG)
<< "Result: " << result;
} }
/* /*

77
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
View file

@ -20,6 +20,10 @@
#include <fstream> #include <fstream>
#include <unordered_set> #include <unordered_set>
#include <vector> #include <vector>
#include "aidl/android/hardware/security/keymint/AttestationKey.h"
#include "aidl/android/hardware/security/keymint/ErrorCode.h"
#include "keymint_support/authorization_set.h"
#include "keymint_support/keymint_tags.h"
#include <android-base/logging.h> #include <android-base/logging.h>
#include <android/binder_manager.h> #include <android/binder_manager.h>
@ -245,6 +249,13 @@ bool KeyMintAidlTestBase::isSecondImeiIdAttestationRequired() {
return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__; return AidlVersion() >= 3 && property_get_int32("ro.vendor.api_level", 0) > __ANDROID_API_T__;
} }
bool KeyMintAidlTestBase::isRkpOnly() {
if (SecLevel() == SecurityLevel::STRONGBOX) {
return property_get_bool("remote_provisioning.strongbox.rkp_only", false);
}
return property_get_bool("remote_provisioning.tee.rkp_only", false);
}
bool KeyMintAidlTestBase::Curve25519Supported() { bool KeyMintAidlTestBase::Curve25519Supported() {
// Strongbox never supports curve 25519. // Strongbox never supports curve 25519.
if (SecLevel() == SecurityLevel::STRONGBOX) { if (SecLevel() == SecurityLevel::STRONGBOX) {
@ -295,6 +306,40 @@ void KeyMintAidlTestBase::SetUp() {
} }
} }
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc) {
return GenerateKey(key_desc, &key_blob_, &key_characteristics_);
}
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
std::optional<AttestationKey> attest_key = std::nullopt;
vector<Certificate> attest_cert_chain;
// If an attestation is requested, but the system is RKP-only, we need to supply an explicit
// attestation key. Else the result is a key without an attestation.
if (isRkpOnly() && key_desc.Contains(TAG_ATTESTATION_CHALLENGE)) {
skipAttestKeyTestIfNeeded();
AuthorizationSet attest_key_desc =
AuthorizationSetBuilder().EcdsaKey(EcCurve::P_256).AttestKey().SetDefaultValidity();
attest_key.emplace();
vector<KeyCharacteristics> attest_key_characteristics;
auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.value().keyBlob,
&attest_key_characteristics, &attest_cert_chain);
EXPECT_EQ(error, ErrorCode::OK);
EXPECT_EQ(attest_cert_chain.size(), 1);
attest_key.value().issuerSubjectName = make_name_from_str("Android Keystore Key");
}
ErrorCode error =
GenerateKey(key_desc, attest_key, key_blob, key_characteristics, &cert_chain_);
if (error == ErrorCode::OK && attest_cert_chain.size() > 0) {
cert_chain_.push_back(attest_cert_chain[0]);
}
return error;
}
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc, ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key, const optional<AttestationKey>& attest_key,
vector<uint8_t>* key_blob, vector<uint8_t>* key_blob,
@ -335,36 +380,6 @@ ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
return GetReturnErrorCode(result); return GetReturnErrorCode(result);
} }
ErrorCode KeyMintAidlTestBase::GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key) {
return GenerateKey(key_desc, attest_key, &key_blob_, &key_characteristics_, &cert_chain_);
}
ErrorCode KeyMintAidlTestBase::GenerateKeyWithSelfSignedAttestKey(
const AuthorizationSet& attest_key_desc, const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob, vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain) {
skipAttestKeyTest();
AttestationKey attest_key;
vector<Certificate> attest_cert_chain;
vector<KeyCharacteristics> attest_key_characteristics;
// Generate a key with self signed attestation.
auto error = GenerateAttestKey(attest_key_desc, std::nullopt, &attest_key.keyBlob,
&attest_key_characteristics, &attest_cert_chain);
if (error != ErrorCode::OK) {
return error;
}
attest_key.issuerSubjectName = make_name_from_str("Android Keystore Key");
// Generate a key, by passing the above self signed attestation key as attest key.
error = GenerateKey(key_desc, attest_key, key_blob, key_characteristics, cert_chain);
if (error == ErrorCode::OK) {
// Append the attest_cert_chain to the attested cert_chain to yield a valid cert chain.
cert_chain->push_back(attest_cert_chain[0]);
}
return error;
}
ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format, ErrorCode KeyMintAidlTestBase::ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob, const string& key_material, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) { vector<KeyCharacteristics>* key_characteristics) {
@ -1663,7 +1678,7 @@ bool KeyMintAidlTestBase::shouldSkipAttestKeyTest(void) const {
// Skip a test that involves use of the ATTEST_KEY feature in specific configurations // Skip a test that involves use of the ATTEST_KEY feature in specific configurations
// where ATTEST_KEY is not supported (for either StrongBox or TEE). // where ATTEST_KEY is not supported (for either StrongBox or TEE).
void KeyMintAidlTestBase::skipAttestKeyTest(void) const { void KeyMintAidlTestBase::skipAttestKeyTestIfNeeded() const {
if (shouldSkipAttestKeyTest()) { if (shouldSkipAttestKeyTest()) {
GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device"; GTEST_SKIP() << "Test using ATTEST_KEY is not applicable on waivered device";
} }

28
security/keymint/aidl/vts/functional/KeyMintAidlTestBase.h
View file

@ -104,35 +104,19 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
uint32_t boot_patch_level(); uint32_t boot_patch_level();
bool isDeviceIdAttestationRequired(); bool isDeviceIdAttestationRequired();
bool isSecondImeiIdAttestationRequired(); bool isSecondImeiIdAttestationRequired();
bool isRkpOnly();
bool Curve25519Supported(); bool Curve25519Supported();
ErrorCode GenerateKey(const AuthorizationSet& key_desc);
ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob, ErrorCode GenerateKey(const AuthorizationSet& key_desc, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) { vector<KeyCharacteristics>* key_characteristics);
return GenerateKey(key_desc, std::nullopt /* attest_key */, key_blob, key_characteristics,
&cert_chain_);
}
ErrorCode GenerateKey(const AuthorizationSet& key_desc, ErrorCode GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key, vector<uint8_t>* key_blob, const optional<AttestationKey>& attest_key, vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics, vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain); vector<Certificate>* cert_chain);
ErrorCode GenerateKey(const AuthorizationSet& key_desc,
const optional<AttestationKey>& attest_key = std::nullopt);
// Generate key for implementations which do not support factory attestation.
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics,
vector<Certificate>* cert_chain);
ErrorCode GenerateKeyWithSelfSignedAttestKey(const AuthorizationSet& attest_key_desc,
const AuthorizationSet& key_desc,
vector<uint8_t>* key_blob,
vector<KeyCharacteristics>* key_characteristics) {
return GenerateKeyWithSelfSignedAttestKey(attest_key_desc, key_desc, key_blob,
key_characteristics, &cert_chain_);
}
ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format, ErrorCode ImportKey(const AuthorizationSet& key_desc, KeyFormat format,
const string& key_material, vector<uint8_t>* key_blob, const string& key_material, vector<uint8_t>* key_blob,
@ -372,7 +356,7 @@ class KeyMintAidlTestBase : public ::testing::TestWithParam<string> {
bool is_strongbox_enabled(void) const; bool is_strongbox_enabled(void) const;
bool is_chipset_allowed_km4_strongbox(void) const; bool is_chipset_allowed_km4_strongbox(void) const;
bool shouldSkipAttestKeyTest(void) const; bool shouldSkipAttestKeyTest(void) const;
void skipAttestKeyTest(void) const; void skipAttestKeyTestIfNeeded() const;
void assert_mgf_digests_present_or_not_in_key_characteristics( void assert_mgf_digests_present_or_not_in_key_characteristics(
const vector<KeyCharacteristics>& key_characteristics, const vector<KeyCharacteristics>& key_characteristics,

153
security/keymint/aidl/vts/functional/KeyMintTest.cpp
View file

@ -37,6 +37,7 @@
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h> #include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <aidl/android/hardware/security/keymint/KeyFormat.h> #include <aidl/android/hardware/security/keymint/KeyFormat.h>
#include <keymint_support/authorization_set.h>
#include <keymint_support/key_param_output.h> #include <keymint_support/key_param_output.h>
#include <keymint_support/openssl_utils.h> #include <keymint_support/openssl_utils.h>
@ -1146,17 +1147,6 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestation) {
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob); KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U); ASSERT_GT(key_blob.size(), 0U);
@ -1369,17 +1359,6 @@ TEST_P(NewKeyGenerationTest, RsaEncryptionWithAttestation) {
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob); KeyBlobDeleter deleter(keymint_, key_blob);
@ -1490,17 +1469,6 @@ TEST_P(NewKeyGenerationTest, RsaWithAttestationMissAppId) {
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(2048, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
} }
@ -1625,17 +1593,6 @@ TEST_P(NewKeyGenerationTest, LimitedUsageRsaWithAttestation) {
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.RsaKey(key_size, 65537)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob); KeyBlobDeleter deleter(keymint_, key_blob);
@ -1877,17 +1834,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestation) {
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(curve)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob); KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U); ASSERT_GT(key_blob.size(), 0U);
@ -2020,17 +1966,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
// Tag not required to be supported by all KeyMint implementations. // Tag not required to be supported by all KeyMint implementations.
continue; continue;
} }
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(result, ErrorCode::OK); ASSERT_EQ(result, ErrorCode::OK);
KeyBlobDeleter deleter(keymint_, key_blob); KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U); ASSERT_GT(key_blob.size(), 0U);
@ -2082,18 +2017,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTags) {
builder.push_back(tag); builder.push_back(tag);
auto error = GenerateKey(builder, &key_blob, &key_characteristics); auto error = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (error == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
error = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
device_id_attestation_check_acceptable_error(tag.tag, error); device_id_attestation_check_acceptable_error(tag.tag, error);
} }
} }
@ -2138,10 +2061,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationIdTags) {
AuthorizationSetBuilder builder = base_builder; AuthorizationSetBuilder builder = base_builder;
builder.push_back(tag); builder.push_back(tag);
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) return;
}
if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) { if (result == ErrorCode::CANNOT_ATTEST_IDS && !isDeviceIdAttestationRequired()) {
// ID attestation was optional till api level 32, from api level 33 it is mandatory. // ID attestation was optional till api level 32, from api level 33 it is mandatory.
continue; continue;
@ -2199,16 +2118,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationUniqueId) {
builder.Authorization(TAG_RESET_SINCE_ID_ROTATION); builder.Authorization(TAG_RESET_SINCE_ID_ROTATION);
} }
auto result = GenerateKey(builder); auto result = GenerateKey(builder);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob_, &key_characteristics_, &cert_chain_);
}
}
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
ASSERT_GT(key_blob_.size(), 0U); ASSERT_GT(key_blob_.size(), 0U);
@ -2309,17 +2218,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationTagNoApplicationId) {
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(result, ErrorCode::OK); ASSERT_EQ(result, ErrorCode::OK);
KeyBlobDeleter deleter(keymint_, key_blob); KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U); ASSERT_GT(key_blob.size(), 0U);
@ -2404,17 +2302,6 @@ TEST_P(NewKeyGenerationTest, EcdsaAttestationRequireAppId) {
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result); ASSERT_EQ(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, result);
} }
@ -2482,17 +2369,6 @@ TEST_P(NewKeyGenerationTest, AttestationApplicationIDLengthProperlyEncoded) {
.SetDefaultValidity(); .SetDefaultValidity();
auto result = GenerateKey(builder, &key_blob, &key_characteristics); auto result = GenerateKey(builder, &key_blob, &key_characteristics);
// Strongbox may not support factory provisioned attestation key.
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob, &key_characteristics);
}
}
ASSERT_EQ(ErrorCode::OK, result); ASSERT_EQ(ErrorCode::OK, result);
KeyBlobDeleter deleter(keymint_, key_blob); KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U); ASSERT_GT(key_blob.size(), 0U);
@ -2718,7 +2594,8 @@ TEST_P(NewKeyGenerationTest, HmacNoAttestation) {
.AttestationChallenge(challenge) .AttestationChallenge(challenge)
.AttestationApplicationId(app_id) .AttestationApplicationId(app_id)
.Authorization(TAG_MIN_MAC_LENGTH, 128), .Authorization(TAG_MIN_MAC_LENGTH, 128),
&key_blob, &key_characteristics)); /*attest_key=*/std::nullopt, &key_blob,
&key_characteristics, &cert_chain_));
KeyBlobDeleter deleter(keymint_, key_blob); KeyBlobDeleter deleter(keymint_, key_blob);
ASSERT_GT(key_blob.size(), 0U); ASSERT_GT(key_blob.size(), 0U);
@ -2907,7 +2784,9 @@ TEST_P(NewKeyGenerationTest, AesNoAttestation) {
.EcbMode() .EcbMode()
.Padding(PaddingMode::PKCS7) .Padding(PaddingMode::PKCS7)
.AttestationChallenge(challenge) .AttestationChallenge(challenge)
.AttestationApplicationId(app_id))); .AttestationApplicationId(app_id),
/*attest_key=*/std::nullopt, &key_blob_,
&key_characteristics_, &cert_chain_));
ASSERT_EQ(cert_chain_.size(), 0); ASSERT_EQ(cert_chain_.size(), 0);
} }
@ -2928,7 +2807,9 @@ TEST_P(NewKeyGenerationTest, TripleDesNoAttestation) {
.Authorization(TAG_NO_AUTH_REQUIRED) .Authorization(TAG_NO_AUTH_REQUIRED)
.Padding(PaddingMode::NONE) .Padding(PaddingMode::NONE)
.AttestationChallenge(challenge) .AttestationChallenge(challenge)
.AttestationApplicationId(app_id))); .AttestationApplicationId(app_id),
/*attest_key=*/std::nullopt, &key_blob_,
&key_characteristics_, &cert_chain_));
ASSERT_EQ(cert_chain_.size(), 0); ASSERT_EQ(cert_chain_.size(), 0);
} }
@ -8510,17 +8391,6 @@ class KeyAgreementTest : public KeyMintAidlTestBase {
.Authorization(TAG_ATTESTATION_CHALLENGE, challenge) .Authorization(TAG_ATTESTATION_CHALLENGE, challenge)
.SetDefaultValidity(); .SetDefaultValidity();
ErrorCode result = GenerateKey(builder); ErrorCode result = GenerateKey(builder);
if (SecLevel() == SecurityLevel::STRONGBOX) {
if (result == ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED) {
result = GenerateKeyWithSelfSignedAttestKey(
AuthorizationSetBuilder()
.EcdsaKey(EcCurve::P_256)
.AttestKey()
.SetDefaultValidity(), /* attest key params */
builder, &key_blob_, &key_characteristics_, &cert_chain_);
}
}
ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key"; ASSERT_EQ(ErrorCode::OK, result) << "Failed to generate key";
ASSERT_GT(cert_chain_.size(), 0); ASSERT_GT(cert_chain_.size(), 0);
X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate)); X509_Ptr kmKeyCert(parse_cert_blob(cert_chain_[0].encodedCertificate));
@ -8811,11 +8681,6 @@ TEST_P(EarlyBootKeyTest, CreateAttestedEarlyBootKey) {
KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob); KeyBlobDeleter ecdsa_deleter(keymint_, ecdsaKeyData.blob);
for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) { for (const auto& keyData : {aesKeyData, hmacKeyData, rsaKeyData, ecdsaKeyData}) {
// Strongbox may not support factory attestation. Key creation might fail with
// ErrorCode::ATTESTATION_KEYS_NOT_PROVISIONED
if (SecLevel() == SecurityLevel::STRONGBOX && keyData.blob.size() == 0U) {
continue;
}
ASSERT_GT(keyData.blob.size(), 0U); ASSERT_GT(keyData.blob.size(), 0U);
AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics); AuthorizationSet crypto_params = SecLevelAuthorizations(keyData.characteristics);
EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params; EXPECT_TRUE(crypto_params.Contains(TAG_EARLY_BOOT_ONLY)) << crypto_params;