Commit graph

722 commits

Author SHA1 Message Date
Andrew Scull
1ca978f373 Select the DICE validation rules based on the VSR
Check the VSR of the device to select the DICE validation rules that
will be appropriate to use for VTS.

Test: TH
Change-Id: Iff19debd1e442a0b318da1a4d8a08d470efba0ae
2023-09-20 14:30:48 +00:00
Eran Messeri
801c76b13e Merge "Enable EcdsaAttestationIdTags VTS for GSI" into main 2023-09-19 10:55:45 +00:00
David Drysdale
a2d3f2499c Merge "KeyMint: clarify EC_CURVE on import" into main 2023-09-18 15:00:57 +00:00
David Drysdale
2ef3749cba Merge "KeyMint VTS: re-order auth failure arms" into main 2023-09-15 10:36:47 +00:00
David Drysdale
9ed7d2c5bf KeyMint: check missing EC_CURVE on v3+
The original change to add this test didn't make it into the Android 13
version of the VTS test, so the version gate needs to be updated to be
v3+

Bug: 292318194
Test: VtsAidlKeyMintTargetTest --gtest_filter="*EcdsaMissingCurve*"
Change-Id: I94bf816688e57c7c04893a23cf0399129de94229
2023-09-14 15:16:27 +01:00
David Drysdale
a35699cb5c KeyMint VTS: re-order auth failure arms
Allow for devices that claim to need external timestamps, but don't.

Test: VtsAidlKeyMintTargetTest
Bug: 300211206
Change-Id: Ie450d9969c337d5274502f3600e14c0b481e8b34
2023-09-14 11:34:15 +01:00
Prashant Patil
24f7579130 Enable EcdsaAttestationIdTags VTS for GSI
Earlier, attestation properties didn't match on GSI images, hence
EcdsaAttestationIdTags VTS test case was skipped on GSI images.

Recently attestation properties reading priority changed as
ro.product.*_for_attestation -> ro.product.vendor.* -> ro.product.*
that means on GSI images ro.product.vendor.* properties could be used
and hence attestation should work. Incase ro.product.vendor.* properties
are not same as provisioned values to KM. They should be set as
ro.product.*_for_attestation on base build.

Bug: 298586194
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Change-Id: Ie945bd8f7060e0e768daf9681d121ea5f170a6e1
2023-09-07 15:40:33 +00:00
David Drysdale
9b8d75eacb KeyMint: clarify EC_CURVE on import
Bug: 292318194
Test: VtsAidlKeyMintTargetTest
Change-Id: I4194b70f1da8816e19f231331c738050c2b7d59f
2023-09-06 13:37:57 +01:00
Istvan Nador
8f28f8b8ea Enable the keymaster logger in the default Keymint
This solution was adopted from Cuttlefish's host side Keymint
implementation: I22bde00aed311c6774f83acc08a2c21e6e75141f.

Bug: 296983430
Test: Tested with Cuttlefish that the logs are present in logcat.
Change-Id: I942b0200bb164a2a865b255c6f26d628cbd345a4
2023-09-04 12:05:58 +00:00
Andrew Scull
e780dbf0d0 Test the format of patch level device info
On top of checking that the patch level are a UINT, also check that they
follow the YYYYMM or YYYYMMDD format in the CSR v3 as is required by the
server validation logic. This check is not applied in the factory as the
value might not yet be correctly provisioned.

Bug: 269813991
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I5c62ba176dae390ea0a387bba6cb975226e3873a
2023-09-01 17:42:31 +00:00
Tri Vo
d284817690 Merge "keymint: Clarify usage of certificate tags with importWrappedKey" into main 2023-08-30 15:12:13 +00:00
Treehugger Robot
7bed173e4c Merge "Only require RKP on T+ chipsets" into main 2023-08-25 19:08:06 +00:00
Seth Moore
8be875e0d0 Only require RKP on T+ chipsets
It turns out we had a bug (b/263844771) in how RKP support was
detected, and that was fixed. However, due to this bug, some S chipests
shipped without RKP support which is now required by the tests.

This change drops the RKP requirement from S chipsets. There should be
no new S chipsets, so this effectively grandfathers in the previous
ones that were skipped by the RKP VTS tests.

T+ tests (both VTS and other suites) will verify that RKP support is
there, so there is no gap introduced by this change.

Bug: 297139913
Test: VtsAidlKeyMintTargetTest
Change-Id: I387e5f058ada698747aac103c1745682291f2d1c
2023-08-25 11:13:41 -07:00
David Drysdale
41bbc573f7 Merge "KeyMint: fix auth test HAT" into main 2023-08-25 09:45:42 +00:00
David Drysdale
97272d8d5f KeyMint: fix auth test HAT
The test case for an auth-per-operation HAT with an invalid HMAC
is wrong -- it is re-using the previous HAT, which fails for a
different reason (has an old challenge).

Fix the test to use the HAT that's wrong in the intended way.

Bug: 297333975
Test: VtsAidlKeyMintTargetTest
Change-Id: I15fe9b0c1b53452df0f67dd44534fdb80a6c2a9c
2023-08-25 07:30:12 +01:00
Tomasz Wasilczyk
5c8abe9cc2 Use String8/16 c_str [security]
Bug: 295394788
Test: make checkbuild
Change-Id: I4dd1a43c314af087c4f8ecad3570613ed841589c
2023-08-23 18:51:57 +00:00
Tri Vo
77f4bced2e keymint: Clarify usage of certificate tags with importWrappedKey
Bug: 292534977
Test: atest android.keystore.cts.ImportWrappedKeyTest
Change-Id: I2cb65bc27e4f6b64c331bae4e4a8242ff1d91e43
2023-08-18 14:54:20 -04:00
David Drysdale
ae8c281824 Merge "KeyMint: allow extra error code" into main 2023-08-16 10:20:21 +00:00
Treehugger Robot
a2441d9090 Merge "Add VSR annotation to KeyMint tests" into main 2023-08-15 14:17:24 +00:00
Treehugger Robot
1452142a46 Merge "Whenever generateKey fails updated AttestKeyTests to abort instead of continuing the execution of the test." into main 2023-08-15 11:30:45 +00:00
David Drysdale
84b685adf5 KeyMint: allow extra error code
Bug: 295055603
Test: VtsAidlKeyMintTargetTest
Change-Id: Ifbd4a899364c38bb6ad63bb5b5a683c69edfb5b7
2023-08-11 16:00:32 +01:00
Treehugger Robot
d99d7730b8 Merge "Update the TimeoutAuthenticationMultiSid test" into main 2023-08-09 14:25:05 +00:00
Subrahmanya Manikanta Venkateswarlu Bhamidipati Kameswara Sri
07c7d28a84 Update the TimeoutAuthenticationMultiSid test
Update TimeoutAuthenticationMultiSid test to support
generateKey for Strongbox implementations without
factory attestation.

Bug: 293211157
Test: run vts -m VtsAidlKeyMintTarget
Change-Id: I27bf08d2fd2d9e0217a90ee8ccb789adfd9d5f7f
2023-08-08 22:33:37 +00:00
David Drysdale
0215cb3d3e KeyMint: use a smaller invalid IMEI value
The invalid value used for the second IMEI attestation test is
potentially wrong in two ways:
- It doesn't match the provisioned value.
- It's not a valid IMEI, not least because it is longer than 16 bytes.

Make the test value shorter so the second failure doesn't apply and
the test can reliably expect CANNOT_ATTEST_IDS.

Bug: 292959871
Test: VtsAidlKeyMintTargetTest
Change-Id: If8c6b9e08b48e6caf5c767578e1ac43964214619
2023-08-07 11:53:46 +01:00
Eran Messeri
5fe06ea215 Add VSR annotation to KeyMint tests
Add VSR annotations for the KeyMint v2 and KeyMint v3 requirements.

Bug: 251242992
Test: N/a
Change-Id: I0cf5eff86fe18df6f567b30d697af01bc8cdbb4e
2023-08-02 22:34:24 +01:00
Rajesh Nyamagoud
45b478f32e Whenever generateKey fails updated AttestKeyTests to abort instead of
continuing the execution of the test.

If generateKey fails and execution continues then it leads to issues
while verifying the attest records and causing the crash.

Test: atest VtsAidlKeyMintTargetTest
Bug: 292300030
Change-Id: I66bd650423e9e5bbbfe8411a1455c4ea5846f1ff
2023-07-26 04:49:36 +00:00
Treehugger Robot
03b140d2fb Merge "Enabled attest-id tests to run on GSI builds as well." into main 2023-07-18 16:39:32 +00:00
Rajesh Nyamagoud
c41ed964f0 Enabled attest-id tests to run on GSI builds as well.
Removed the check to skip the attest-id tests on GSI, modified the
attest-id tests to support this.

Bug: 290643623
Test: atest VtsAidlKeyMintTargetTest
Change-Id: Id79d7fb4c70ed94ed76bc57f3d66ce47e9b67b48
2023-07-12 00:12:38 +00:00
David Drysdale
c68dc93788 Allow extra ID attestation error codes
When deliberately testing invalid ID attestation, use the helper
function (which checks the error return code is correct) in one more
place.

Test: VtsAidlKeyMintTargetTest
Bug: 286733800
Change-Id: I6ea5bd7ee19b3b172330117bfde1b16745debba7
2023-07-06 10:23:55 +01:00
David Drysdale
82f86a1d4b Merge "Fix attestation error checks" 2023-07-05 05:20:29 +00:00
David Drysdale
c3de1caf43 Skip ATTEST_KEY using variant on waivered devices
Bug: 281452355
Bug: 289451966
Test: VtsAidlKeyMintTargetTest
Change-Id: Id448edae88569518deb2db4ab7bf50d16f33709a
2023-07-04 13:23:04 +01:00
David Drysdale
810fbcffed Fix attestation error checks
Avoid the ADD_FAILURE at the end if attestion ID failure uses an allowed
return code.

Test: VtsAidlKeyMintTargetTest
Bug: 286733800
Change-Id: I0dcac312ac4516a078b2742721e3a19074da52b1
2023-07-04 13:14:12 +01:00
Treehugger Robot
2e46e91864 Merge "Validating key characteristics of generated/imported keys." 2023-06-29 17:34:26 +00:00
Eran Messeri
4a7c3810fc Merge "Update default KeyMint version to 3" 2023-06-29 16:37:48 +00:00
Rajesh Nyamagoud
7b9ae3c485 Validating key characteristics of generated/imported keys.
Updated VTS tests to verify mgf-digests in key characteristics of
RSA-OAEP keys. Added new tests to import RSA-OAEP keys with
mgf-digests and verified imported key characteristics.

Bug: 279721313
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I06474a85c9e77fded264031ff5636f2c35bee6b4
2023-06-26 18:40:53 +00:00
Treehugger Robot
efb4b9397a Merge "Check for MGF1 digests in key characteristics." 2023-06-26 17:22:09 +00:00
David Drysdale
1d7447e5d3 Merge "Allow extra error code in device ID attestation" 2023-06-22 05:58:57 +00:00
Eran Messeri
8417708fe4 Update default KeyMint version to 3
Update the default KeyMint version to v3.
Note this affects the pure software implementation of KeyMint that is
not used for anything that tests currently run against.

Bug: 275982952
Test: m (that it builds)
Change-Id: I6ab10329af590bd2a045710dfff47c6e78740464
2023-06-21 16:11:25 +01:00
David Drysdale
f42238c99f Allow extra error code in device ID attestation
Generalize the existing helper function to allow more variants.

Remove a couple of pointless invocations of the existing helper.

Bug: 286733800
Test: VtsAidlKeyMintTargetTest
Change-Id: Ic01c53cbe79f55c2d403a66acbfd04029395c287
2023-06-15 09:43:18 +01:00
Treehugger Robot
1acca5c139 Merge "Support to get EC public key from the UdsCertchain." 2023-06-14 17:38:22 +00:00
Subrahmanyaman
a18883a58c Support to get EC public key from the UdsCertchain.
Bug: 285896470
Test: VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I7f829b1346feeab0fd429ad7b9714181b6668b34
2023-06-12 17:29:38 +00:00
David Drysdale
1b9febc5ca Use RAII to ensure KeyMint keyblobs deleted
If some check in a VTS test case fails, the test function may exit early
and not call CheckedDeleteKey(&some_keyblob), thus "leaking" a key blob.

This isn't normally an issue, but if the key blob happens to use a
feature that uses some secure storage (e.g. ROLLBACK_RESISTANCE or
USAGE_COUNT_LIMIT=1) then this may leak some scarse resource.

To avoid the chance of this, use an RAII holder to ensure that
manually-managed keyblobs (i.e. key blobs that are not held in the
key_blob_ member of the base test class) are always deleted.

Bug: 262212842
Test: VtsAidlKeyMintTargetTest
Change-Id: Ie8806095e249870484b9875eb660070607f339a3
2023-06-07 15:46:42 +01:00
David Drysdale
de2a493b9a KeyMint: more authentication tests
- Test key with multiple allowed SIDs
- Test invalid timestamp token

Test: VtsAidlKeyMintTargetTest
Change-Id: Ieb18d43d8c2db821d32857a332a0a68917b1eba4
2023-06-05 15:02:30 +01:00
Shawn Willden
0f1b257f96 Extend QC SPU waiver to VSR-S devices.
Bug: 281452355
Test: VtsAidlKeyMintTargetTest
Change-Id: I9fc1d1f9a3b5b29cfee3ad325bc1c4ef72c44c13
2023-05-31 10:22:54 -06:00
Treehugger Robot
434a0cc160 Merge "VTS: Test specifying --expect_upgrade {yes,no}" 2023-05-15 09:11:41 +00:00
Tommy Chiu
025f3c5acd VTS: Test specifying --expect_upgrade {yes,no}
It should definitely be the case that a different SPL triggers key
requires upgrade, but the converse isn't true -- if no SPL change, it's
OK for the device to request upgrade anyhow.

Bug: 281604435
Change-Id: Ic03ce51fb4b18ff669595ab430f9fccd1da48997
2023-05-15 07:23:27 +00:00
Treehugger Robot
95ec2cdd2f Merge "KM VTS test fix - handled "null" value for imei." 2023-05-12 02:44:22 +00:00
Rajesh Nyamagoud
71d19b21c3 KM VTS test fix - handled "null" value for imei.
Added a check to make sure IMEI is not "null".

Bug: 281676499
Test: atest VtsAidlKeyMintTargetTest
Change-Id: Ia1569a30412d633eee4d4de8cd00dea077d1c23d
2023-05-09 17:23:02 +00:00
Tri Vo
67567baf94 Merge "Test cases for attested Root-of-Trust" 2023-05-05 17:07:39 +00:00
Tri Vo
520a95bc31 Test cases for attested Root-of-Trust
Add tests for verfied boot state and VBMeta digest.

Bug: 255344624
Test: VtsKeyMintAidlTargetTest
Change-Id: I4f0697e1a7cb83ca87150b6683cac3084a593864
2023-05-05 10:04:39 -07:00