The keymaster TA has 30841 distinct coverage counters, so 0x4000 counter
slots is not enough to handle this TA. Increase maximum number of
coverage counters to 0x8000.
Test: adb shell trusty_keymaster_fuzzer
Bug: 175918322
Change-Id: I879d18538edb4933a4205c8f73b7939ddbf69e37
Add an initial corpus for the keymaster fuzzer derived from running the
keystore2 unittests.
Test: adb shell "cd /data/fuzz/arm64/trusty_keymaster_fuzzer/ && ./trusty_keymaster_fuzzer corpus"
Bug: 175918322
Change-Id: I839bb9bacee1800cf2da25aedbb4ce3eccf16cba
libtrusty can be depended on by multiple thing in a fuzzer's
dependencies tree. It's no longer convenient to link to statically.
Leave tests statically linked. Test infra doesn't seem to handle shared
test libs correctly.
Bug: 171750250
Test: trusty_test_fuzzer libtrusty_coverage_test
Change-Id: Ic7d003151e43fb5bab63354fd42ea9667332743f
In order to validate the BoringSSL implementation in Trusty using ACVP,
we need a modulewrapper tool that forwards requests to Trusty and back
to the ACVP tool. Adds this tool, which interfaces with the Trusty ACVP
testing service.
Test: make trusty_acvp_modulewrapper
Test: adb shell "acvptool -wrapper trusty_acvp_modulewrapper -json vectors/ACVP-AES-CBC"
Bug: 173805789
Change-Id: I3028e44c00f8e315dfd94ea34c004bbd25fab788
Fix a typo in one of the short command line options
for the Trusty application loader. The typo caused
the tool to incorrectly accept the -s short option
and ignore it, but not accept the -D option which
is the short version of --dev.
Bug: 115420908
Test: m
Change-Id: I9d03f8dd20adedbd820621ae8f9b4d13137041ed
The header SecureDPU.h is moved out from the device specific folder as
it can be shared for different devices.
Bug: 176508588
Test: Pass TUI VTS test on the emulator.
Change-Id: I7695b49c4f7a247b570ced61145471efef3d0a3d
Trusty Keymaster will currently disconnect the client on an invalid
message. This includes the newly introduced GET_VERSION2 message.
While in the future we could change this behavior, this is a backcompat
path and so we can't assume a changed Trusty. Reconnect on failed
GET_VERSION2 before attempting version negotiation.
Bug: 177843218
Test: Set PIN on device using older Trusty
Change-Id: Ie60e4aaafa43e375797e6288b97834cac42413f4
* changes:
trusty: Add simple fuzzer for keymaster TA
trusty: Increase limit on coverage counters
trusty: Write out sancov file when fuzzer exits
trusty: Switch to dmabuf for coverage shared memory
Adds a simple libfuzzer-based coverage guided fuzzer for keymaster.
Current coverage is low, so we'll need to improve this with an initial
corpus or a more sophisticated protocol aware fuzzer.
Bug: 175918322
Test: make trusty_keymaster_fuzzer
Test: adb shell /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Change-Id: Iad1713e1a73cc5a6a3ec742cc433d1337aca9bc3
Keymaster has more than 4096 counters, so we need to allocate a larger
section for the libfuzzer extra counters. Increases the size of the
extra counters section to 16384.
Bug: 171750250
Test: atest libtrusty_coverage_test
Change-Id: Iaee2c74b6d0c7ae8a2e5a30525759f89f825a091
Add emission of sancov file when CoverageRecord is destroyed. This
will occur when a fuzzer driver exits cleanly, i.e. -runs=0 with an
existing corpus.
Test: make trusty_gatekeeper_fuzzer
Test: adb shell ./trusty_gatekeeper_fuzzer -runs=0 corpus
Bug: 175221942
Change-Id: I6bd1c8b2f2091e894c35f7a4874b54577a91c8fc
Trusty shared memory now uses dmabuf instead of memfd. Switch the
coverage buffer allocation to use libdmabufheap.
Test: atest libtrusty_coverage_test
Bug: None
Change-Id: I067dd0774d19b42380ce5cb8ceb3541fa77ef9f0
The corpus of Confirmationui usually contains multiple data packets
to be transfered from Android side to Trusty side.
Therefore we adjust the Confirmationui fuzzer so that it can send
data to Confirmationui TA several times through a same tipc channel.
Bug: 174402999
Bug: 171750250
Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer
Change-Id: Ib6ae831e6a19c98eb62a1c75f77eb00f914e2f5c
We want to add coverage statistics to the trusty-ut-ctrl tool, which is
a vendor binary. Thus we need a vendor variant of libtrusty_coverage.
Merges system libtrusty_test and vendor libtrusty into a single
vendor_available library so that we can add vendor_available to
libtrusty_coverage and make it accessible from vendor tools.
Bug: 175221942
Test: make libtrusty_coverage
Change-Id: I68cc8f1c1580bda8591dbe744e9751474811576d
Adds the ability to retrieve and save program counter information from
the trusty coverage record data. PC information is saved to a .sancov
file, parseable by the LLVM sancov tool. Sancov can then symbolize and
display this coverage information for consumption by humans.
Adds a sancov dump to the libtrusty_coverage_test for testing.
Bug: 175221942
Test: atest libtrusty_coverage_test
Test: Retrieve sancov file and manually symbolize with sancov
Change-Id: I342ea2ca9abb87986b2904ff69415544ee6070fc
Simplifies development flow because libtrusty_test.so doesn't need to be
pushed with the fuzzer.
Bug: 171750250
Test: m trusty_gatekeeper_fuzzer && adb sync data && \
adb shell /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer
Change-Id: I7c83b5784ede4881dcd9c2dd33c97bf49fcde6ff
Change-Id: Iba60f03000bfca15b00e484ef3a168604c65554a
Add ExtraCounters to Confirmationui fuzzer so that the fuzzer can
grab the coverage information of the Confirmationui TA.
Bug: 174402999
Bug: 171750250
Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer
Change-Id: I2e287281e7c8100f0d48413fbe0ff99d397a74c1
* changes:
trusty: provide coverage to gatekeeper fuzzer
trusty: fuzz: Example TA fuzzer
trusty: fuzz: Helper lib for libFuzzer extra counters
trusty: coverage: Coverage client library
Note: We need to add Confirmationui TA into
TRUSTY_BUILTIN_USER_TASKS to run the fuzzer.
Bug: 174402999
Bug: 171750250
Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer
Change-Id: I22769782ded05eeedeb111f7537b5ba76e98ce73
Used by tests on the system side of the Treble boundary, e.g. fuzzing
Test: m libtrusty libtrusty_test
Change-Id: I56a15c80eb7c4b9e51f8e59a7cd1abdfc35d8d5a
Make the trusty-ut-ctrl as binary such that we can put it into
factory image, put it into PRODECT_PACKAGES_DEBUG fro the device.mk
Bug: 152901318
Test: Trusty storage tests
Change-Id: I8229113e7649c25d0a712b2b0964f23c9d41cf26
Adds an Abort() function to the fuzzer utils library that grabs and
prints the relevant trusty kernel logs before exiting the fuzzer.
Test: /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer
Change-Id: I7741c7e5e0ffdc402e3d3dd9a7e5856e2a640dd2
Remove WrappedPrivateKey and select wrapped vs plaintext key command
based on format instead.
Bug: 154033394
Test: send wrapped test key. Not yet accepted by trusty
Change-Id: I3b0a29be78f2a8e84ebd990713f66788256d8e3f
Remove the --key option part to disable the initial setting of rpmb key
on the mock rpmb device.
The RPMB provisioning scheme will program the RPMB key into the mock
rpmb device.
Bug: 152901318
Test: Trusty storage tests
Change-Id: I03b9cfbbd10e2e5364405319a57e2ecc4ee0f48e
Add ".check_key_programmed = true." for RPMB_REQ_DATA_READ such that
we can check whether the rpmb key has been programmed before executing
RPMB_REQ_DATA_READ command.
"JEDEC STANDARD Universal Flash Storage (UFS) Version 3.0" specifies
that data access before the key has been programmed should return
“Authentication Key not yet programmed” (0007h)..
Bug: 152901318
Test: Trusty storage tests
Change-Id: I4759fbce5f37234090a22a1d9dc3b38072f6ecaf
* Supports sending memfds in addition to data from an iovec
* Also add a basic test called send-fd
Bug: 117221195
Test: Run send-fd with corresponding Trusty application.
Change-Id: I562d2ff744938c868323a016659ca1332f6a576b
The mock RPMB can get out of sync with TD storage blocks in the event of
panic or crash. Making this O_SYNC will prevent this from happening.
Bug: 160723681
Test: None
Change-Id: Ia16dfc88ceae56e4e9724a42ac0db492c0e707a4
The in_cdb.length (ALLOCATION_LENGTH) must be set in order to send
SECURITY PROTOCOL IN command.
Bug: 143636526
Test: Trusty storage tests
Change-Id: Ie4252e9b19c05825c895ec07f8c9684ae456f6c9
The newer way of specifying the interface is using <fqname> and it also
has the handy side-effect of not causing conflicts when we add the
strongbox implementation to devices.
Test: make # check $OUT for the correct manifest
Change-Id: If8333814723261c4f3de375861ee19a6d922d55f
Library based HALs have been deprecated for several years now, and
Keymaster 2 based testing is woefully out of date compared to running
VTS against the modern 3.0 and 4.0 implementations.
Purging these modules and their resulting dependencies will make it
easier for the central system/keymaster repository to move forwards.
Test: mm
Bug: 150239636
Change-Id: Ic2ddbe685a50e65f9db25f682ad33105195efa8a
This implementation does not provide any security guaranties.
* The input method (NotSoSecureInput) runs a crypto protocols that is
sufficiently secure IFF the end point is implemented on a trustworthy
secure input device. But since the endpoint is currently in the HAL
service itself this implementation is not secure.
* This implementation provides most of the functionality, but not the
secure UI infrastructure required to run Android Protected
Confirmation.
Bug: 146078942
Test: VtsHalConfirmationUIV1_0TargetTest
Change-Id: I14717b5fa4ef15db960cdd506b8c6fe5369aec8d
The UFS support got rebased on top of the RPMB socket support
improperly. As a result, RPMB socket support was broken due to an
unconditional rmpb_fd = rc which would set the rpmb_fd to be connect()'s
error code in the case of an RPMB socket.
Bug: 146903427
Test: Boot Trusty+Android with the rpmb_dev mock, check for liveness
Change-Id: Ib1220dc49392f1a10369eed7716e44680bd83a66
This CL enables storageproxyd to run on UFS device.
The proxy prepares and sends SECURITY PROTOCOL IN/OUT commands to UFS
device.
Bug: 143636526
Test: Trusty storage tests
Change-Id: Ibe16578c12b978c9a95deccfb1873081e8d0e994
When developing, it may be preferable to operate on a device which does
not have a real RPMB storage, or which is unprovisioned. This CL allows
the rpmb_dev program to act as a daemon serving a fixed key, and for
storageproxyd to speak to rpmb_dev's socket rather than an actual rpmb
device or a virtual rpmb device.
Test: Trusty Gatekeeper VTS
Change-Id: I19b2b143fffb8e68e4a028d00eaf5cd1928e12f6
This makes it easier to add or remove the Trusty keymaster service from
a device by providing a manifest fragment to add whenever it is enabled.
Test: Keymaster VTS, Keystore CTS (sans attestation)
Change-Id: Ib0f5fd7c016c0c18d77c9d2623c89f3b35ba7ad7
The reference keymaster at system/keymaster still expects to receive its
auth tokens in the tags, rather than as a separate parameter. This
change injects the separate parameter passed to the KM4 HAL as a legacy
tag in the request.
Longer term, system/keymaster should support a separate authToken
parameter, and it should be serialized and sent to Trusty separately.
Test: Keymaster VTS + Keystore CTS (sans attestation)
Change-Id: Ie69cbd358504bb7612f7d55158509043cdad4e4e
Since these were combined into libhidlbase.
Bug: 135686713
Test: build only (libhwbinder/libhidltransport are empty)
Change-Id: I0bdffced6af52695c0ef98c9dd659348e56f7aa6
This patch replaces the legacy libhardware based gatekeeper HAL with a
true HIDL based implementation.
Test: Workes with trusty gatekeeper
Change-Id: I072b0c3fc74523400132aacd34e2f2cac9cf261b
Merged-In: I072b0c3fc74523400132aacd34e2f2cac9cf261b
Adds support for proxying V4.0 commands to Trusty and makes 4.0 the
default when including trusty-base.mk.
Bug: 128851722
Test: Keymaster VTS 4.0 + Trusty
Change-Id: I2e2220963996fcb88d6953ee1a58af1b947b857d
Previously we only installed the gatekeeper.trusty.so library, which is
insufficient to actually start Gatekeeper. We now also install the -impl
and -service wrappers.
Bug: 127700127
Test: Gatekeeper 1.0 VTS with Trusty running
Change-Id: Idd8d6a4e1e409c2a712dddfd92d5f9cf6b16b50c
In order to test Trusty gatekeeper automatically, the storage proxy
needs to be active inside the emulator. This patch allows storageproxyd
to speak a length-framed RPMB to an external RPMB daemon.
For a concrete example of a daemon speaking this protocol, see rpmb_dev
in the Trusty tree.
Bug: 124277696
Test: Launch storageproxyd with -t virt, use Trusty test infra
Change-Id: I391d4768976f0eb1f3b8df58eefd58fc3a9409cd
These files were previously not clang-format clean. I am submitting the
clang-format cleanup in its own CL to avoid mixing up the code I'm
adding/adjusting with old code which needed to be reformatted.
Bug: 124277696
Test: m
Change-Id: I8a57ca97925a16bee10b15d2013a5dcf87b0ed15
It is designed to connect to user specified port and
implements unittest logging protocol supported by
typical unittest ap running on Trusty side.
Test: manual
Change-Id: I6e37ccee9b9e4dde563ef0e4f531b42091cc2bd8
Modify TrustyKeymaster3Device::update method to handle the case when
amount of input data received exceeds a maximum amount supported by
underlying transport. In such case, only send an portion of data that
fits and allow higher levels to take care of the rest.
This is not an ideal fix as it is not very efficient for large sets
of data but at least it should work in more cases.
Test: android.keystore.cts
Change-Id: Id7360d0da3b87493193d480fc0c78c65dc1fc51f
KM1/KM2 implementations should treat nullptr and KeymasterBlob{nullptr, 0}
equally when passed in as client_id or app_data. However, trusty KM1
treats them differently.
Bug: 113110105
Bug: 113084196
Change-Id: Ie0e2b5d60d808e4f7a8e48aeb4c694268f9bc0a1
the new layer (Keymaster2PassthroughContext) will call the related function
operation, however, currently it’s null so it will have null pointer reference
issue and we need to provide them in the keymater legacy HAL.
Bug: 113084196
Change-Id: Id1b0df47c03d341aedc7a0634cb101966143641c
This message was originally ALOGV but got accidentally changed during a
refactoring in 81ebcb1943
Bug:110153632
Test: VtsHalKeymasterV3_0TargetTest
Change-Id: Ibdfa0ab50cb8544c6f23c15049904f1741769647
This allows the IPC functionality to be used by multiple HAL
implementations
Test: trusty_keymaster_tipc & keystore.trusty compile
Bug: 110153632
Change-Id: I78f273db6f59a417319058113e15e422ece73290
Added three new directories:
- include: contains ipc and legacy header files
- ipc: contains common keymaster IPC code that can be shared between HALS
- legacy: contains the old style HAL implementation
Test: trusty_keymaster_tipc & keystore.trusty compile
Bug:110153632
Change-Id: I2fdaa9d3d0421a0e359c05807ab5f0a12c5d3996
Trusty implementations are provided by vendors. This patch moves
the AOSP reference implementations to the vendor partition.
Bug: 63085384
Test: Build gordon_peak which adopts trusty as the TEE and confirm
that libtrusty and gateway.trusty are moved to /vendor.
Test: Build marlin which does not adopt trusty as the TEE and confirm
that this patch has no effect on the build result.
Test: mmm BOARD_VNDK_VERSION=current system/core/trusty
Change-Id: I7f6d897b86c69d06923a18d28154760e006dd193
Without this there is the possibility of message version mismatch
between the secure side and the non-secure side.
Bug: 63746689
Test: cts passes
Change-Id: I242974eb86dd86ba0f657e7ab3af4ac14c08bb5c
The CL is not complete and will cause build break when BOARD_VNDK_VERSION is set.
This reverts commit 7d81b4e081.
Change-Id: If9632fb7ee8147c39f1ad0860ddc3bed62ba89db
AttestKeyResponse may be larger than 4K (always less than 8K) when
attesting an RSA key. This change allows the non-secure side to read a
response that may be larger than 4K by adding an additional bit
indicating the end of a response. If a message command has the
KEYMASTER_STOP_BIT set, then the non-secure side knows that the response
has been fully read.
Test: android.keystore.cts.KeyAttestationTest#testRsaAttestation passes
with production attestation key and chain, when AttestKeyResponse is
larger than 4K.
Tested with other CTS tests when keymaster messages are smaller
than 4K, still passes.
Manual test to verify that a tipc error due to large message size is
handled correctly.
Bug: 63335726
Change-Id: I8776ba7ca70da893648e15cfa770784ab31a2cb0
Trusty implementations are provided by vendors. This patch moves
the AOSP reference implementations to the vendor partition.
Bug: 63085384
Test: build gordon_peak which adopts trusty as the TEE and confirm
that libtrusty and gateway.trusty are moved to /vendor.
Test: build marlin which does not adopt trusty as the TEE and confirm
that this patch has no effect on the build result.
Change-Id: I9a5440071386b929058207fdef560ed2d7223ba3
libnativeheader exports headers under nativeheader. These were
available before incorrectly as global headers in order to give
access to jni.h.
Test: modules using system/core find headers
Bug: 63762847
Change-Id: I86240f7857dd815100cab32ad261aa9a0a54329c
Fix a build breakage by renaming libkeymaster to
libkeymaster_staging. fugu's vendor tree already had
a libkeymaster.so which masked system/keymaster/libkeymaster.
Bug: 37997750
Change-Id: Iead014db3f3d841f08c8072b0493ec9fd7a05055
This patch also forces the underlying structure of enum keymaster_command
to be uint32_t.
Test: builds
Change-Id: Ie8969beb9d6a15313456fbe54ef3806f6778ade2
Point to log/log.h where necessary, define LOG_TAG where necessary.
Accept that private/android_logger.h is suitable replacement for
log/logger.h and android/log.h.
Correct liblog/README
Effectively a cleanup and controlled select revert of
'system/core: drop or replace log/logger.h' and
'system/core: Replace log/log.h with android/log.h'.
Test: compile
Bug: 30465923
Change-Id: Ic2ad157bad6f5efe2c6af293a73bb753300b17a2
Should use android/log.h instead of log/log.h as a good example
to all others. Adjust header order to comply with Android Coding
standards.
Test: Compile
Bug: 26552300
Bug: 31289077
Change-Id: I33a8fb4e754d2dc4754d335660c450e0a67190fc
Should use android/log.h instead of cutils/log.h as a good example
to all others. Adjust header order to comply with Android Coding
standards.
Test: Compile
Bug: 26552300
Bug: 31289077
Change-Id: I2c9cbbbd64d8dccf2d44356361d9742e4a9b9031
This adds a small utility which is useful to trigger access-controlled
NVRAM wipes from recovery and to disable wiping functionality after
boot.
BUG: 29260086
Change-Id: I131d400ab2643ce91d7838a2bb770afd48f83b5f
Force usage of upstream kernel headers to pull in
definition of rpmb related structures.
This change is required until b/25567964 is resolved.
Change-Id: Ic710d32281dcdd093f6308b82ee937143b692613
Bug: 25567964
The trusty-base.mk should be included by devices that use
Trusty TEE to pull in the baseline set of Trusty specific modules.
Change-Id: I47c2095a21f47a40d390c9d5426380ad9507a708
This adds an NVRAM HAL module implementation which interfaces with the
Trusty NVRAM app.
BUG: 23524282
Change-Id: Ibfee13baccc2c5369786a078f2feffcd4eb7a139