All request messages are encrypted, but response messages have an outer
unencrypted layer, with an inner response (and the result values inside
that).
Make the SecretManagement.cddl file clearer to reflect that, and make
the schema valid along the way.
Move the outer (unencrypted) error code values into `ErrorCode.aidl` and
use them as service-specific error codes, thus reducing the number of
error types from 3 to 2.
Bug: 291228560
Test: VtsSecretkeeperTargetTest
Test: validate CDDL with https://atacama.informatik.uni-bremen.de/
Change-Id: I46c5bfd7e40b03919d7d3779b265b3bb3ff1ce1e
Test Store/Get api of SecretManagement HAL. We use a hard coded
hypothetical chain & a dice policy (which the dice chain matches
against) for testing the store/get functionality.
This patch also adds required error codes in SecretManagement.cddl
Bug: 291224769
Test: atest VtsSecretkeeperTargetTest
Change-Id: I0aa2dfc7413791e9de62a6e753bda4ab2f813d2c
We introduce InMemoryStore, an implementation of KeyValueStore trait.
This can be used for implementing backends that VTS can run against.
Bug: 291224769
Test: atest VtsSecretkeeperTargetTest
Change-Id: Id109ee3bd38ec0979953b6285019c97d418172ef
Update __ANDROID_API_V__ with 202404 for the vendor api level.
Bug: 312798205
Bug: 315246126
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I0e6ff71e57137e3f6d7e5e5bf082d10026cec2e0
With Request/Response packets impl CborSerializable. Use the methods
from those.
Test: atest libsecretkeeper_comm_nostd
Bug: 291228655
Change-Id: Ib0daf9c0aa3417befedbc130725fb3445b327079
[Description]
1.Add patch to modify rkp_factory_extraction_tool, so
that it can meet TV customer's factory product line.
2.Change the method for
rkp_factory_extraction_tool to get the serial number.
3.Introduce a new input parameter, serialno_prop,
to the function jsonEncodeCsrWithBuild.
4.Use the new property of serialno_prop if it is set,
otherwise defaults to "ro.serialno".
Test:
1.build pass
2.AC on/off pass
3.run "rkp_factory_extraction_tool
--output_format build+csr
--serialno_prop $(customer_prop) > csr.json" pass
4.run "rkp_factory_extraction_tool
--output_format build+csr > csr.json" pass
5.VtsHalRemotelyProvisionedComponentTargetTest pass
6.libkeymint_remote_prov_support_test pass
7.VtsAidlKeyMintTargetTest pass
Bug: 313811996
Change-Id: I8aa83bacab22f0a28bc54aea9e816f75a382ffde
Add `ISecretkeeper::getAuthGraphKe()` method to the Secretkeeper HAL.
Align the AIDL targets between AuthGraph and Secretkeeper, and add
some defaults that automatically link to the current version of the
Secretkeeper AIDL targets.
Move the non-secure implementation of AuthGraph to run the TA in a
separate thread.
Alter the nonsecure implementation of Secretkeeper so that it no longer
directly implements Secretkeeper functionality, but instead re-uses
common code from the Secretkeeper reference implementation. This
involves re-using the common implementation of the HAL service (from
`authgraph_hal`), but also involves using the reference implementation
of the the TA code that would normally run in a separate secure
environment. The latter code expects to run in a single-threaded
environment, so run it in a single local thread.
Note that the negotiated session keys emitted by AuthGraph are not yet
used by Secretkeeper (coming in a subsequent CL).
Extend the Secretkeeper VTS tests to invoke the AuthGraph VTS inner
tests on the returned IAuthGraphKeyExchange instance, exercising the
instance as an AuthGraph sink.
Bug: 291228560
Test: VtsSecretkeeperTargetTest
Change-Id: Ia2c97976edc4530b2c902d95a74f3c340d342174
The RKP VM is part of the Android Virtualization Framework. It will be
uniquely authenticated by the RKP server, and therefore needs its own
certificate type.
Bug: 300624493
Change-Id: Ice586ad85ae43235dd80a5d220603e7394c1c49b
Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK
Reason for revert: Relands the original topic:
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22
PS2 is the same as the original cl: aosp/2796032
Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK
Test: atest MicrodroidHostTests librkp_support_test
Change-Id: I7200599131c01908db7fa3bb4a6f989418a89288
Add VTS for testing ISecretkeeper implementation. At present, VTS is
limited to testing GetVersion operation of SecretManagement.
Test: atest VtsSecretkeeperTargetTest
Bug: 291224769
Change-Id: I6084af2fa6cb578e27996e26a0505b267a10b4ef
A failure to get the IAuthGraphKeyExchange/nonsecure instance might
be because it's not registered (likely on most non-Cuttlefish devices)
or it might be for some other reason, such as SELinux denial.
So detect other kinds of failure to get the service, and also change
the VTS to require root so SELinux denials don't happen.
Also tweak the expected return code when a source is given a corrupt
key; now that replay protection is implemented, the reference
implementation rejects this earlier (and with a different error)
because the session lookup fails.
Test: VtsAidlAuthGraphRoleTest
Bug: 291228560
Change-Id: I032600ac809f43a3642fa9ef9aae788d3ca2378f
Given that we are not expecting to release a v4 of the KeyMint HAL for
Android V, tweak some spec and test details so that existing v3
implementations do not need to change.
- Soften the requirement to use (1970-01-01, 9999-12-31) as cert dates
when secure-importing an asymmetric to be a suggestion instead.
- Change the version gate for the test of importing an EC key with no
specified `EC_CURVE` to be VSR-gated rather than gated on a putative
future version of the HAL.
Test: VtsAidlKeyMintTargetTest
Bug: 292318194
Bug: 292534977
Change-Id: Ib8d6e79ea948ee77eeb2528d698205179f026fd3
Only police for future versions of KeyMint, so that any existing
implementations that use the full key don't suddenly start to fail
VTS.
Bug: 305103215
Test: VtsAidlKeyMintTargetTest
Change-Id: If6534b84b6eff8cdb281586e17a5f89c7bf5f5d0
Create the default/reference implementation of Secretkeeper HAL. Status
quo, this is non-secure implementation. In reality, the HAL should be
backed by a privileged component such a trusted app.
Bug: 291224769
Test: Topic includes VTS
Change-Id: I6a4ad50482d537f5438de6201275f4020cd827df
Secretkeeper is a privileged component which seals the secrets of pVM
instances & releases them on successful authentication of the pVM.
The HAL should be backed by a secure TA of higher privilege than a pVM.
This patch introduces a subset of HAL spec - the SecretManagement api. The
protocol is cbor based (specified in SecretManagement.cddl).
Test: atest VtsSecretkeeperTargetTest
Bug: 293429085
Change-Id: I8e650f27d506d378a94bbc8834c68a005fb12253
This CL updates description of the `Nonce` used in key exchange as per
API council review.
Additionally, this includes updates to the documentation that are found
to be suitable as per further proof reading.
Test: N/A
Change-Id: Ie59e3a10eb8844fcfac9dad60c9d431ae499ee40
Add VTS tests that just exercise a single role, sink or source.
Use the AuthGraph core library to provide the implementation of the
other role. This means that the tests are best written in Rust.
Put the test code into a library, so that other HALs which include
AuthGraph as a component can exercise the AuthGraph parts in their own
VTS tests.
Test: VtsAidlAuthGraphRoleTest
Bug: 284470121
Change-Id: I73f6aa277b41cc728587d707d7a6f82f0d18e08f
Use the core library's new service implementation, which wraps a
channel to the TA.
In this nonsecure case, the TA is local in-process, so use the core
library's AuthGraphTa, and implement the SerializedChannel as just
a direct invocation of the TA.
Move this code into a _nonsecure library, so the main.rs just has
the code needed to start the executable and register the service.
Test: VtsAidlAuthGraphSessionTest
Bug: 284470121
Change-Id: I738d3876872a8cd248f0ebec708676d1173b6e37
getMessage is often empty. getDescription will always include at least
the status code.
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: Id401184a3c3642188e26fa2ec03f19515f89ae4f
The authgraph_hal library should only depend on libauthgraph_wire, not
on libauthgraph_core, so adjust error processing accordingly.
Test: VtsAidlAuthGraphSessionTest
Bug: 284470121
Change-Id: I48056db6ceeab409d0f165f8e051809129643c6f
KeyMint should be able to handle challenges up to 128 bytes.
Document this (and the expected error code) in Tag.aidl.
Bug: 307714384
Test: m
Change-Id: Id099dd055c81b10d777effdf364395f84d8b35c6
Add an implementation for the AuthGraph key exchange HAL, to allow
testing and policy compliance.
In real use, IAuthGraphKeyExchange instances are expected to be
retrieved from some other HAL, allowing the AuthGraph instance to be
specifically correlated with the component that uses it.
Bug: 284470121
Bug: 291228560
Test: hal_implementation_test
Test: VtsAidlAuthGraphSessionTest
Change-Id: Ib064292d60bead663af7721fd1406f2a9b5d8ecd
Introduce the AIDL methods for key exchange and the CDDLs for
the relevant input/output types that are CBOR encoded.
Use a standard comment format in CDDL files to indicate where additional
structure definitions can be found, in the hope that one day tooling
will be available to automatically check schema syntax.
Add authgraph to compatibility matrix
This CL merges the CLs: aosp/2750484, aosp/2750485, aosp/2750486 by
drysdale@google.com
Co-authored-by: David Drysdale <drysdale@google.com>
Bug: 284470121
Test: validate schemas with https://cddl.anweiss.tech/
Test: VtsAidlAuthGraphSessionTest (with nonsecure default impl)
Change-Id: I2793666ede028f8abe91569587c09dcac21c67e0
Revert submission 2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ
Reason for revert: This change relands the topic
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22
This SELinux denial has been fixed in system/sepolicy
Reverted changes: /q/submissionid:2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ
Change-Id: Ia1aed212bf8de4b81239997cc1d1ca665cc456eb
This cl adjusts IRPC VTS tests so that it can handle the IRPC AVF
impl in an environment where the IRPC operations are not supported.
Bug: 299257581
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: Iae96076c20e360e6a4aca5518ca8df21920f6978
Since there were no VTS test to strictly check RSA_OAEP_MGF_DIGEST,
there are released devices with Keymint which do not include this tag in
key characteristics, hence these test fails on such Keymint and UDC
Android framework.
Hence version check is added before asserting MGF digest checks.
Bug: 297306437
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I43054f8dbbd46de53deef5e6771c736e770280e0
Negative test cases should not expect UNKNOWN_ERROR from Keymint since
the exact cause of failure is known.
In general, we should avoid UNKNOWN_ERROR because it makes error
attribution difficult.
To avoid adding retroactive requirements KM implementation, relax the
check to expect any error.
Bug: 298194325
Test: VtsAidlKeyMintTargetTest
Change-Id: I136fb6d36ae92c9e3722ffefe9a067d3515dcbf9
std::unique consolidates the unique nonces at the start of the `nonces`
vector, but it doesn't modify nonces.size(), so these tests weren't
actually verifying that the nonces were unique. Add a vector::erase
call to shrink the vector.
After upgrading libc++, std::unique is [[nodiscard]] and this bug is
a compiler error.
Bug: 175635923
Test: treehugger
Test: m VtsAidlSharedSecretTargetTest VtsHalKeymasterV4_0TargetTest
Change-Id: I7fd8c40a3920bf3a8988c8065503c78ba36dc742
Check the VSR of the device to select the DICE validation rules that
will be appropriate to use for VTS.
Test: TH
Change-Id: Iff19debd1e442a0b318da1a4d8a08d470efba0ae
The original change to add this test didn't make it into the Android 13
version of the VTS test, so the version gate needs to be updated to be
v3+
Bug: 292318194
Test: VtsAidlKeyMintTargetTest --gtest_filter="*EcdsaMissingCurve*"
Change-Id: I94bf816688e57c7c04893a23cf0399129de94229
Allow for devices that claim to need external timestamps, but don't.
Test: VtsAidlKeyMintTargetTest
Bug: 300211206
Change-Id: Ie450d9969c337d5274502f3600e14c0b481e8b34
Extract CDDL from MacedPublicKey.aidl and DeviceInfo.aidl.
Make -70000 optional in `PublicKey`.
Make CDDL compliant with RFC8610:
- Move `bstr` contents for generated data (e.g. `ECDSA(..)`) to comments.
- Fix alternatives in CBOR-encoded bstr instances.
Add more RFC references and unify reference style.
Try to use a standard format to indicate that external files are needed
for the complete CDDL schema. (Hopefully in the future we might have
tooling that uses these to check the schemas.)
Test: Compile with docs.rs/cddl-cat and https://cddl.anweiss.tech/
Change-Id: Ie1d6c39f1cc0314e312df9205b570b89178ebd16
Earlier, attestation properties didn't match on GSI images, hence
EcdsaAttestationIdTags VTS test case was skipped on GSI images.
Recently attestation properties reading priority changed as
ro.product.*_for_attestation -> ro.product.vendor.* -> ro.product.*
that means on GSI images ro.product.vendor.* properties could be used
and hence attestation should work. Incase ro.product.vendor.* properties
are not same as provisioned values to KM. They should be set as
ro.product.*_for_attestation on base build.
Bug: 298586194
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Change-Id: Ie945bd8f7060e0e768daf9681d121ea5f170a6e1
This solution was adopted from Cuttlefish's host side Keymint
implementation: I22bde00aed311c6774f83acc08a2c21e6e75141f.
Bug: 296983430
Test: Tested with Cuttlefish that the logs are present in logcat.
Change-Id: I942b0200bb164a2a865b255c6f26d628cbd345a4
Move CDDL out of comments and into files, per-method
generateCertificateRequest.cddl
generateCertificateRequestV2.cddl
This makes it easier to read and it means tools can parse it.
Test: Treehugger
Change-Id: I9b71b094d128a5a4566a4d352aaa11d1c9b595ff
On top of checking that the patch level are a UINT, also check that they
follow the YYYYMM or YYYYMMDD format in the CSR v3 as is required by the
server validation logic. This check is not applied in the factory as the
value might not yet be correctly provisioned.
Bug: 269813991
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I5c62ba176dae390ea0a387bba6cb975226e3873a
It turns out we had a bug (b/263844771) in how RKP support was
detected, and that was fixed. However, due to this bug, some S chipests
shipped without RKP support which is now required by the tests.
This change drops the RKP requirement from S chipsets. There should be
no new S chipsets, so this effectively grandfathers in the previous
ones that were skipped by the RKP VTS tests.
T+ tests (both VTS and other suites) will verify that RKP support is
there, so there is no gap introduced by this change.
Bug: 297139913
Test: VtsAidlKeyMintTargetTest
Change-Id: I387e5f058ada698747aac103c1745682291f2d1c
