This will make it easier to swap in and out with the Cuttlefish remote
implementation.
Bug: 331474817
Test: m com.android.hardware.keymint.rust_nonsecure
Change-Id: I0e9a350b62a90ef6126db109195e19b4181d0cf8
The ISharedSecret.aidl description of the pre-shared secret K
mentioned that K was set up during factory reset. While that could be
done, it is almost never done; most OEMs inject K in the factory.
Removed the reference to setup in factory reset to reduce confusion.
Test: N/A, comment-only change
Change-Id: Idbbd5a8d64197ef4713a75075a9730d06162ad05
error: field `0` is never read
--> hardware/interfaces/security/authgraph/default/src/main.rs:34:24
|
34 | struct HalServiceError(String);
| --------------- ^^^^^^
| |
| field in this struct
|
= note: `HalServiceError` has derived impls for the traits `Clone` and `Debug`, but these are intenti
onally ignored during dead code analysis
= note: `-D dead-code` implied by `-D warnings`
= help: to override `-D warnings` add `#[allow(dead_code)]`
help: consider changing the field to be of unit type to suppress this warning while preserving the field
numbering, or remove the field
|
34 | struct HalServiceError(());
| ~~
error: aborting due to 1 previous error
Test: ./build.py --lto thin
bug: http://b/330185853
Change-Id: I08b79176fb5edea9e24990e4884e521c24660d68
This target was using the same `.rc` as the keymint-service target,
though it had a different name.
Bug: 331474817
Test: LOCAL_KEYMINT_PRODUCT_PACKAGE=android.hardware.security.keymint-service.nonsecure m && launch_cvd --noresume --secure_hals=keymint,oemlock
Change-Id: I0f744b75e451f6780d8f6c9bddbd5ea80c579a20
If a decice provides a StrongBox KeyMint instance then the default IRPC
instance is required to use a proper, non-degenerate DICE chain.
Expose a function to check whether the CSR contains a proper DICE chain
and use that from VTS to implement the test.
Bug: 302204396
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I90cf070bc2279fc52e0a8e7fd0039d3fdb68c1d7
Add tests for:
- large number of session creations
- also use a bigger identity, to better simulate real use
- attempt to retrieve a secret with an incorrect identity
Test: VtsSecretkeeperTargetTest (shiba)
Bug: 327526008
Change-Id: I8dddf643d03a8fb679511564cb03c2248477c116
Only applies for devices on VSR API level 35 and above, so that existing
devices which previously passed VTS should not need to pass the new
tests.
Bug: 292534977
Test: VtsAidlKeyMintTargetTest
Change-Id: I8281c3cebf05795e3f9a1ed2b112fc149d8a104c
This is a partial revert of aosp/2856649, changeID
Ia450e9a8f2dc530f79e8d74d7ce65f7d67ea129f, because it turns out
that there are Wear devices that are using the default implementation
(but which are not covered by TreeHugger/presubmit).
It restores the C++ implementation for KeyMint as
android.hardware.security.keymint-service, but preserves the Rust
libraries that were moved here in that CL as a subsequent CL
(aosp/2852598) means that Cuttlefish now uses the libraries here.
Test: VtsAidlKeyMintTargetTest on Cuttlefish
Bug: 328251011
Bug: 314513765
Change-Id: Id6f3491144588e418cd6e18e51262fe839bfdf39
Copy code that can be re-used from the Cuttlefish KeyMint
implementation, specifically from the following directories
under device/google/cuttlefish:
- HAL-side code from guest/hals/keymint/rust/
- TA-side code from host/commands/secure_env/rust/
Create a corresponding pair of libkmr_{hal,ta}_nonsecure libraries here.
The only changes to the copied code are:
- Convert `pub(crate)` to `pub` in `attest.rs`.
- Add some missing doc comments.
- Add comment noting need for SELinux permission to read ro.serialno.
- Add comment noting need for clock to be in sync with Gatekeeper.
(A subsequent CL aosp/2852598 adjusts Cuttlefish so that it uses the
copied modules here, and can remove the original copies.)
In addition to the moved code, the default implementation also needs
a new implementation of a monotonic clock, added here in clock.rs
using `std::time::Instant`.
With the new nonsecure HAL and TA libraries in place, implement the
default KeyMint HAL service using the former, and spin up a single
thread running a nonsecure TA using the latter. Communicate between
the two via a pair of mpsc::channel()s.
Test: VtsAidlKeyMintTargetTest with normal Cuttlefish (all pass)
Test: VtsAidlKeyMintTargetTest with default/nonsecure impl (auth
tests fail, but this is expected as Gatekeeper hasn't moved)
Bug: 314513765
Change-Id: Ia450e9a8f2dc530f79e8d74d7ce65f7d67ea129f
When dumping attestation certificate chains with the --dump_attestations
option, add a separator between distinct chains to make them easier to
analyze.
Bug: 326564087
Test: VtsAidlKeyMintTargetTest
Change-Id: Ife19edfddef6c8cd26de9f9816c3c9bf65cbb929
Used ASN1_TIME_to_posix API instead of ASN1_TIME_to_time_t
to avoid integer overflow on 32-bit systems.
Bug: 325853206
Test: vts -m VtsAidlKeyMintTarget
Change-Id: I7a01a521d389482a61ad9974b7e40eaa099c3571
Secretkeeper is expected to advertize its public key to Android via
Device tree node at /avf/reference/avf/ Check that the identity used
during AutGraph key exchange protocol with client is indeed this.
Test: #secretkeeper_check_identity on device with Sk/default instance
enabled
Bug: 291213394
Change-Id: I08815d75410fdd0c76d675c7cc9521abe0cda98b
KeyMint enforcement of UNLOCKED_DEVICE_REQUIRED is broken, has never
been used, and cannot be fixed. So, document that it does not need to
be implemented. Also remove the VTS test for it, which was disabled.
UNLOCKED_DEVICE_REQUIRED remains supported in Keystore.
Bug: 321100166
Test: Build
Change-Id: If4d47ee49c9d4a595820cfceb0f5f3027f99ee9f
In newer versions of libc++, std::char_traits<T> is no longer defined
for non-character types, and a result, std::basic_string_view<uint8_t>
is also no longer defined. See
https://discourse.llvm.org/t/deprecating-std-string-t-for-non-character-t/66779.
Bug: 175635923
Test: libkeymint_remote_prov_support_test
Change-Id: Ic373e0a3c081b996d4c81a9783103ae6406833f7
This CL is created as a best effort to migrate test targets
to the new android ownership model. If you find incorrect or unnecessary
attribution in this CL, please create a separate CL to fix that.
For more details please refer to the link below,
go/new-android-ownership-model
Bug: 304529413
Test: N/A
Change-Id: Ic8c4bd6ac246e7efa98bbdaf822d12ae8e1230a5
Include a list of subcomponents in AVB DiceChainEntry in the sample DICE
chain and include constraints on that in the sealing_policy.
Bug: 291238565
Test: VTS#secret_management_policy_gate
Change-Id: Id36ddf137bacf99c273b61c3136691426f2d5b34
This is needed to upgrade the android_logger crate from 0.12.0
to 0.13.3.
with_max_level provides the same functionality as with_min_level.
The renaming is admittedly confusing, but the new name is accurate
and it makes sense that they deprecated and then removed the
previously poorly named with_min_level.
See crate documentation [1] and code [2].
[1]: https://docs.rs/android_logger/0.12.0/android_logger/struct.Config.html#method.with_min_level
[2]: https://docs.rs/android_logger/0.12.0/src/android_logger/lib.rs.html#227
Bug: 322718401
Test: build and run CF with the change.
Test: m aosp_cf_x86_64_phone
Change-Id: I0ca9596433967be70e9d55acb6cfbf9322741bf8
With libdice_policy being refactored, get VTS to use the builder
library.
Test: Built the test-suite
Bug: 291238565
Change-Id: I149ec1ba9ee66fd19cbf0d0a6f3baa12ea2474ed
Allows testing of secret persistence across reboot (and non-persistence
across factory reset).
Move some test code into a library for re-use.
Test: Manual
Change-Id: I23772692d2de652f6d4a8e5659186bd9c1c06b72
ConstraintSpec constructor will take enum instead of boolean for missing
action.
Test: atest VtsSecretkeeperTargetTest
Bug: 291213394
Change-Id: I55fb0d8ef1fccca5feedf1fd368854ffb7eafaaf
1. Add a test to check Access control in Secretkeeper HAL: Construct
dice chains with different security version and check that the secret
is accessible with upgraded dice chain && DicePolicyError is thrown
when the access is requested using a dice chain with lower security
version.
2. Re-enable test #replay_protection_out_of_seq_req_not_accepted - This
was disabled because the method would not panic when run on
devices without Sk HAL, causing test failure. Refactor the test to
check the error instead of unwrapping.
Many methods of SkClient struct are refactored to return Error (also
introduced in this patch) instead of panicking on error.
Test: atest VtsSecretkeeperTargetTest
Bug: 291224769
Bug: 317416663
Change-Id: I646783e034064f81625a978a2bcacf143ff60c87
Change the spec for DiceCertChainInitialPayload, removing the map &
directly equating it to bstr .cbor PubKey. Also mandate it to stick to
Core Deterministic Encoding Requirements. The deterministic encoding is
essential to ensure DicePolicies can be applied on the root key.
Test: Builds
Bug: 319613231
Change-Id: I5e12ecbcbae84ae608d784a12f8ae4afc49b5a9d
VTS (being the client of Sk) will use dice_chain as the identity.
Consequently we can use the sealing policy constructed out of this
identity & no more need to use HYPOTHETICAL_DICE_POLICY hack.
For sample identity, we create dice_sample module which constructs an
example dice chain (in Explicit key chain format), along with secrets.
Test: Secretkeeper VTS
Bug: 291224769
Change-Id: Ia1d1a92391d3ee455bf9fe254770b4a9bd08cb12
As we make Dice policy work with explicit key format of dice chain, the
hard coded policy needs to change to be compatible with hard coded
explicit key chain in the TA.
Test: VTS
Bug: 291213394
Change-Id: Ib3740d8f12f0a5f4e680bd215170bc96596fbe06
Use rdroidtest for running tests as it now supports parameterized
tests (aosp/2885268) and has an attribute macro (aosp/2890086).
Also rustfmt.
Test: VtsSecretkeeperTargetTest
Change-Id: I9570a7f33a6ff7dbf7cb7238fa3770dedb990e8c
