Update __ANDROID_API_V__ with 202404 for the vendor api level.
Bug: 312798205
Bug: 315246126
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I0e6ff71e57137e3f6d7e5e5bf082d10026cec2e0
[Description]
1.Add patch to modify rkp_factory_extraction_tool, so
that it can meet TV customer's factory product line.
2.Change the method for
rkp_factory_extraction_tool to get the serial number.
3.Introduce a new input parameter, serialno_prop,
to the function jsonEncodeCsrWithBuild.
4.Use the new property of serialno_prop if it is set,
otherwise defaults to "ro.serialno".
Test:
1.build pass
2.AC on/off pass
3.run "rkp_factory_extraction_tool
--output_format build+csr
--serialno_prop $(customer_prop) > csr.json" pass
4.run "rkp_factory_extraction_tool
--output_format build+csr > csr.json" pass
5.VtsHalRemotelyProvisionedComponentTargetTest pass
6.libkeymint_remote_prov_support_test pass
7.VtsAidlKeyMintTargetTest pass
Bug: 313811996
Change-Id: I8aa83bacab22f0a28bc54aea9e816f75a382ffde
Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK
Reason for revert: Relands the original topic:
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22
PS2 is the same as the original cl: aosp/2796032
Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK
Test: atest MicrodroidHostTests librkp_support_test
Change-Id: I7200599131c01908db7fa3bb4a6f989418a89288
Given that we are not expecting to release a v4 of the KeyMint HAL for
Android V, tweak some spec and test details so that existing v3
implementations do not need to change.
- Soften the requirement to use (1970-01-01, 9999-12-31) as cert dates
when secure-importing an asymmetric to be a suggestion instead.
- Change the version gate for the test of importing an EC key with no
specified `EC_CURVE` to be VSR-gated rather than gated on a putative
future version of the HAL.
Test: VtsAidlKeyMintTargetTest
Bug: 292318194
Bug: 292534977
Change-Id: Ib8d6e79ea948ee77eeb2528d698205179f026fd3
Only police for future versions of KeyMint, so that any existing
implementations that use the full key don't suddenly start to fail
VTS.
Bug: 305103215
Test: VtsAidlKeyMintTargetTest
Change-Id: If6534b84b6eff8cdb281586e17a5f89c7bf5f5d0
KeyMint should be able to handle challenges up to 128 bytes.
Document this (and the expected error code) in Tag.aidl.
Bug: 307714384
Test: m
Change-Id: Id099dd055c81b10d777effdf364395f84d8b35c6
Revert submission 2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ
Reason for revert: This change relands the topic
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22
This SELinux denial has been fixed in system/sepolicy
Reverted changes: /q/submissionid:2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ
Change-Id: Ia1aed212bf8de4b81239997cc1d1ca665cc456eb
This cl adjusts IRPC VTS tests so that it can handle the IRPC AVF
impl in an environment where the IRPC operations are not supported.
Bug: 299257581
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: Iae96076c20e360e6a4aca5518ca8df21920f6978
Since there were no VTS test to strictly check RSA_OAEP_MGF_DIGEST,
there are released devices with Keymint which do not include this tag in
key characteristics, hence these test fails on such Keymint and UDC
Android framework.
Hence version check is added before asserting MGF digest checks.
Bug: 297306437
Test: atest VtsAidlKeyMintTargetTest
Change-Id: I43054f8dbbd46de53deef5e6771c736e770280e0
Negative test cases should not expect UNKNOWN_ERROR from Keymint since
the exact cause of failure is known.
In general, we should avoid UNKNOWN_ERROR because it makes error
attribution difficult.
To avoid adding retroactive requirements KM implementation, relax the
check to expect any error.
Bug: 298194325
Test: VtsAidlKeyMintTargetTest
Change-Id: I136fb6d36ae92c9e3722ffefe9a067d3515dcbf9
Check the VSR of the device to select the DICE validation rules that
will be appropriate to use for VTS.
Test: TH
Change-Id: Iff19debd1e442a0b318da1a4d8a08d470efba0ae
The original change to add this test didn't make it into the Android 13
version of the VTS test, so the version gate needs to be updated to be
v3+
Bug: 292318194
Test: VtsAidlKeyMintTargetTest --gtest_filter="*EcdsaMissingCurve*"
Change-Id: I94bf816688e57c7c04893a23cf0399129de94229
Allow for devices that claim to need external timestamps, but don't.
Test: VtsAidlKeyMintTargetTest
Bug: 300211206
Change-Id: Ie450d9969c337d5274502f3600e14c0b481e8b34
Earlier, attestation properties didn't match on GSI images, hence
EcdsaAttestationIdTags VTS test case was skipped on GSI images.
Recently attestation properties reading priority changed as
ro.product.*_for_attestation -> ro.product.vendor.* -> ro.product.*
that means on GSI images ro.product.vendor.* properties could be used
and hence attestation should work. Incase ro.product.vendor.* properties
are not same as provisioned values to KM. They should be set as
ro.product.*_for_attestation on base build.
Bug: 298586194
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Change-Id: Ie945bd8f7060e0e768daf9681d121ea5f170a6e1
This solution was adopted from Cuttlefish's host side Keymint
implementation: I22bde00aed311c6774f83acc08a2c21e6e75141f.
Bug: 296983430
Test: Tested with Cuttlefish that the logs are present in logcat.
Change-Id: I942b0200bb164a2a865b255c6f26d628cbd345a4
On top of checking that the patch level are a UINT, also check that they
follow the YYYYMM or YYYYMMDD format in the CSR v3 as is required by the
server validation logic. This check is not applied in the factory as the
value might not yet be correctly provisioned.
Bug: 269813991
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I5c62ba176dae390ea0a387bba6cb975226e3873a
It turns out we had a bug (b/263844771) in how RKP support was
detected, and that was fixed. However, due to this bug, some S chipests
shipped without RKP support which is now required by the tests.
This change drops the RKP requirement from S chipsets. There should be
no new S chipsets, so this effectively grandfathers in the previous
ones that were skipped by the RKP VTS tests.
T+ tests (both VTS and other suites) will verify that RKP support is
there, so there is no gap introduced by this change.
Bug: 297139913
Test: VtsAidlKeyMintTargetTest
Change-Id: I387e5f058ada698747aac103c1745682291f2d1c
The test case for an auth-per-operation HAT with an invalid HMAC
is wrong -- it is re-using the previous HAT, which fails for a
different reason (has an old challenge).
Fix the test to use the HAT that's wrong in the intended way.
Bug: 297333975
Test: VtsAidlKeyMintTargetTest
Change-Id: I15fe9b0c1b53452df0f67dd44534fdb80a6c2a9c
