If a checkpointing operation is in progress, discard any write operations
that are flagged as STORAGE_MSG_FLAG_PRE_COMMIT_CHECKPOINT. In tandem
with trusty-side changes that set the flag appropriately, this avoids
the awkward case where the checkpoint is rolled back, which potentially
leads to inconsistency between the data and the superblock.
Based on Stephen's CL/1845477 "Add helper to check checkpoint state of
mounts".
Test: m storageproxyd
Bug: 194313068
Change-Id: Ib6a432db1bc1b034f803b743b0d7322e3f31d814
Attempts a retry of the intial write or read when an RPMB command
triggers a UNIT ATTENTION condition. This causes the UA status to be
reset and hopefully result in a successful command. This runs the risk
of retrying a successful write, but we wouldn't have been able to get
the RPMB response after that write anyway due to the UA condition.
Test: m storageproxyd
Bug: 200037389
Change-Id: Ib970e779365bb396756c114684c7f6e56a737ab1
Add an option to specify a service name. Currently only the "connect"
test supports this, and will try to connect to the named service
instead of the echo and datasink services.
Also fix the built-in help text, as it was missing the "burst" option,
and didn't mention that the "connect" test connects to both the echo
and datasink services.
Bug: 200034376
Test: run
Change-Id: I3903f94c16320f8e07ac4bfb69e3bb45329138c0
check_scci_sense (now renamed unexpected_scsi_sense) was supposed to
return false iff the sense data was valid and did not contain an error.
This return value was inverted. Invert the return values and rename the
function to clarify its role.
Test: m storageproxyd
Bug: 195544379
Change-Id: I3b84188aabe58345a83d2fd57bb8103e730cf365
Print an error message to stderr on connection failure, so that the
command doesn't exit silently in case of the common user error of
forgetting to run it as root.
Bug: None
Test: Run as regular user, see "permission denied" message.
Change-Id: Ia213dedccab27e6152b5eb969fbee06d82d3d4ff
tipc_test.c used a mix of tabs and spaces for indentation and other
things that clang-format doesn't like, so retab and format it.
Bug: None
Test: build
Change-Id: I9b3a64bae54697d43e7fb39fe7d6e1dabe0be380
Rewrites the buffer logging to print to the Android log instead of
stderr. The storageproxyd service is started by init and stderr is not
logged anywhere. Because we want to log sense data errors under normal
operation, we need to log to logcat instead of stderr.
Test: Define RPMB_DEBUG, build for qemu-trusty, run, inspect logcat
Bug: 195544379
Change-Id: Iecc0d4680420bb92c94be628789093888a2f1941
Adds parsing and logging of SCSI errors from SG_IO calls for RPMB. Does
not alter behavior of the RPMB proxy in response to these errors.
Test: m storageproxyd
Bug: 195544379
Change-Id: I928ddebcb65aa6c305d3dcab7c64bd19d11a50fa
Adds a file handle parameter to the debug print_buf function to allow
printing to either stdout or stderr.
Test: m storageproxyd
Bug: 195544379
Change-Id: Iade322a21312a676b3599bddafdfc43b599617ea
This change adds the RPK apk back into the image for Trusty Keymint
devices, though the functionality will still be disabled by the
server check-in for now.
Ignore-AOSP-First: Will be CP'ed to AOSP
Bug: 194509629
Test: atest RemoteProvisionerUnitTests
Change-Id: Ic20ca119bd9c0614f7559b24ad60718c813a0cca
The KeyMint TA may send responses that are longer thant the 8K buffer
that the KeyMint HAL holds. This patch introduces
trusty_keymaster_call_2 which can grow the receive buffer on demand.
Bug: 195622501
Test: VTS and CTS test for regression testing.
Change-Id: Ia06e590e547e649ca81cda9a71851f334970788f
Merged-In: Ia06e590e547e649ca81cda9a71851f334970788f
The ndk_platform backend will soon be deprecated because the ndk backend
can serve the same purpose. This is to eliminate the confusion about
having two variants (ndk and ndk_platform) for the same 'ndk' backend.
Bug: 161456198
Test: m
Change-Id: I7e60ee840fd64f9e36bafa8baea19daab9c15cea
We add a wakelock to the sequence of UFS commands so that
the sequence will not be disrrupted when devices get suspended.
Bug: 193456223
Test: Trusty storage tests
Change-Id: Ib90f8b284017cf261d2a2aea940834a42c21de02
The function send_ufs_rpmb_req is missing return paths on errors.
This patch fixes it so that any UFS command failure will return
error code to the function caller.
Bug: 193855098
Test: Trusty storage tests
Change-Id: I391ecff9ed3f892b7c3adae0ceeb18930791326f
This allows the relevant IPC code to be included in the provisioner tool
easily as it's shuffled over into a non-AOSP component due to
chip specific requirements in provisioning Device IDs.
Bug: 178796950
Test: Stuff builds
Merged-In: I57482e89035e8648544f87291ec14c6aece09bd0
Change-Id: I57482e89035e8648544f87291ec14c6aece09bd0
This change includes the code necessary to communicate to the
IRemotelyProvisionedComponent backend implementation running in Trusty.
It also makes the relevant changes to the manifest XML file to add the
IRemotelyProvisionedComponent HAL.
Bug: 192228022
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I32c30ce2dc44e95ff91574ce405f10e3b5dc9699
Merged-In: I32c30ce2dc44e95ff91574ce405f10e3b5dc9699
The Trusty KeyMint HAL did not forward auth tokens and confirmation
tokens to the TA. This broke all per-op-bound key operations.
Test: CtsVerifier biometrics tests.
Bug: 192201272
Merged-In: Ifb2b08514acab78ff3d4fec4bc928260820d4ce0
Change-Id: Ifb2b08514acab78ff3d4fec4bc928260820d4ce0
Bug: 177729159
Test: Not testable until more CLs land
Merged-In: Iea4e70bb5b4ce051492f2e42d2e0d219d088388e
Change-Id: Iea4e70bb5b4ce051492f2e42d2e0d219d088388e
We detect a TA crash by not being able to reconnect to its channel. We
were previously connecting to the TA at the beginning of each fuzz
iteration, but this results in only detecting a crash on the following
iteration. By moving this connection to the end of the fuzz iteration,
we can detect a crash corresponding to the correct fuzz iteration and
libFuzzer will produce the correct crashing input.
Test: /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Bug: 185407818
Change-Id: I6808c72611fcabab5b314218f8b588dd7d944188
Otherwise, these error logs don't end up in bugreports, making it very
difficult to debug.
When using locally, users will have to check logcat instead of stderr.
Bug: 183919392
Bug: 115420908
Test: m
Change-Id: I3b829347971d05968b851e11ce784829d12ef098
The parameter is intended to make the API backwards compatible with
legacy ION devices. It will be ignored for devices that support DMA-BUF
heaps.
Test: build
Bug: 154310076
Change-Id: Ic5b49269283caa7d05d9468f8ed7f02e1b3c1f1e
Merged-In: Ic5b49269283caa7d05d9468f8ed7f02e1b3c1f1e
Added SPDX-license-identifier-Apache-2.0 to:
libstats/pull_lazy/Android.bp
libstats/socket_lazy/Android.bp
trusty/utils/acvp/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: I33005150521238b61d1a8c923749b17d36bba693
We need to do this to make sure that target TA is connected to coverage
service.
Bug: 171750250
Test: trusty_test_fuzzer
Change-Id: I207b8c674a0c5630dd6baf966d3dfb243a855be0
The non-test fuzz targets should run automatically in Haiku.
None of these should be built for Host, and all but the
trusty_test_fuzzer should be built for Target.
Test: built locally (make haiku) and checked that non-test trusty fuzz
targets are included as expected.
Change-Id: Ic67b1e1ddea8ed61b83deef66acdeb0891489195
ConfirmationUI messages are a higher-level abstraction than TIPC
messages (which is what TIPC fuzzer fuzzes).
Bug: 174402999
Test: trusty_confirmationui_msg_fuzzer
Change-Id: I1e1e2c7070b87b78d6236993330df65202840ce6
The keymaster TA has 30841 distinct coverage counters, so 0x4000 counter
slots is not enough to handle this TA. Increase maximum number of
coverage counters to 0x8000.
Test: adb shell trusty_keymaster_fuzzer
Bug: 175918322
Change-Id: I879d18538edb4933a4205c8f73b7939ddbf69e37
Add an initial corpus for the keymaster fuzzer derived from running the
keystore2 unittests.
Test: adb shell "cd /data/fuzz/arm64/trusty_keymaster_fuzzer/ && ./trusty_keymaster_fuzzer corpus"
Bug: 175918322
Change-Id: I839bb9bacee1800cf2da25aedbb4ce3eccf16cba
libtrusty can be depended on by multiple thing in a fuzzer's
dependencies tree. It's no longer convenient to link to statically.
Leave tests statically linked. Test infra doesn't seem to handle shared
test libs correctly.
Bug: 171750250
Test: trusty_test_fuzzer libtrusty_coverage_test
Change-Id: Ic7d003151e43fb5bab63354fd42ea9667332743f
In order to validate the BoringSSL implementation in Trusty using ACVP,
we need a modulewrapper tool that forwards requests to Trusty and back
to the ACVP tool. Adds this tool, which interfaces with the Trusty ACVP
testing service.
Test: make trusty_acvp_modulewrapper
Test: adb shell "acvptool -wrapper trusty_acvp_modulewrapper -json vectors/ACVP-AES-CBC"
Bug: 173805789
Change-Id: I3028e44c00f8e315dfd94ea34c004bbd25fab788
Fix a typo in one of the short command line options
for the Trusty application loader. The typo caused
the tool to incorrectly accept the -s short option
and ignore it, but not accept the -D option which
is the short version of --dev.
Bug: 115420908
Test: m
Change-Id: I9d03f8dd20adedbd820621ae8f9b4d13137041ed
The header SecureDPU.h is moved out from the device specific folder as
it can be shared for different devices.
Bug: 176508588
Test: Pass TUI VTS test on the emulator.
Change-Id: I7695b49c4f7a247b570ced61145471efef3d0a3d
Trusty Keymaster will currently disconnect the client on an invalid
message. This includes the newly introduced GET_VERSION2 message.
While in the future we could change this behavior, this is a backcompat
path and so we can't assume a changed Trusty. Reconnect on failed
GET_VERSION2 before attempting version negotiation.
Bug: 177843218
Test: Set PIN on device using older Trusty
Change-Id: Ie60e4aaafa43e375797e6288b97834cac42413f4
* changes:
trusty: Add simple fuzzer for keymaster TA
trusty: Increase limit on coverage counters
trusty: Write out sancov file when fuzzer exits
trusty: Switch to dmabuf for coverage shared memory
Adds a simple libfuzzer-based coverage guided fuzzer for keymaster.
Current coverage is low, so we'll need to improve this with an initial
corpus or a more sophisticated protocol aware fuzzer.
Bug: 175918322
Test: make trusty_keymaster_fuzzer
Test: adb shell /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Change-Id: Iad1713e1a73cc5a6a3ec742cc433d1337aca9bc3
Keymaster has more than 4096 counters, so we need to allocate a larger
section for the libfuzzer extra counters. Increases the size of the
extra counters section to 16384.
Bug: 171750250
Test: atest libtrusty_coverage_test
Change-Id: Iaee2c74b6d0c7ae8a2e5a30525759f89f825a091
Add emission of sancov file when CoverageRecord is destroyed. This
will occur when a fuzzer driver exits cleanly, i.e. -runs=0 with an
existing corpus.
Test: make trusty_gatekeeper_fuzzer
Test: adb shell ./trusty_gatekeeper_fuzzer -runs=0 corpus
Bug: 175221942
Change-Id: I6bd1c8b2f2091e894c35f7a4874b54577a91c8fc
Trusty shared memory now uses dmabuf instead of memfd. Switch the
coverage buffer allocation to use libdmabufheap.
Test: atest libtrusty_coverage_test
Bug: None
Change-Id: I067dd0774d19b42380ce5cb8ceb3541fa77ef9f0
The corpus of Confirmationui usually contains multiple data packets
to be transfered from Android side to Trusty side.
Therefore we adjust the Confirmationui fuzzer so that it can send
data to Confirmationui TA several times through a same tipc channel.
Bug: 174402999
Bug: 171750250
Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer
Change-Id: Ib6ae831e6a19c98eb62a1c75f77eb00f914e2f5c
We want to add coverage statistics to the trusty-ut-ctrl tool, which is
a vendor binary. Thus we need a vendor variant of libtrusty_coverage.
Merges system libtrusty_test and vendor libtrusty into a single
vendor_available library so that we can add vendor_available to
libtrusty_coverage and make it accessible from vendor tools.
Bug: 175221942
Test: make libtrusty_coverage
Change-Id: I68cc8f1c1580bda8591dbe744e9751474811576d
Adds the ability to retrieve and save program counter information from
the trusty coverage record data. PC information is saved to a .sancov
file, parseable by the LLVM sancov tool. Sancov can then symbolize and
display this coverage information for consumption by humans.
Adds a sancov dump to the libtrusty_coverage_test for testing.
Bug: 175221942
Test: atest libtrusty_coverage_test
Test: Retrieve sancov file and manually symbolize with sancov
Change-Id: I342ea2ca9abb87986b2904ff69415544ee6070fc
Simplifies development flow because libtrusty_test.so doesn't need to be
pushed with the fuzzer.
Bug: 171750250
Test: m trusty_gatekeeper_fuzzer && adb sync data && \
adb shell /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer
Change-Id: I7c83b5784ede4881dcd9c2dd33c97bf49fcde6ff
Change-Id: Iba60f03000bfca15b00e484ef3a168604c65554a
Add ExtraCounters to Confirmationui fuzzer so that the fuzzer can
grab the coverage information of the Confirmationui TA.
Bug: 174402999
Bug: 171750250
Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer
Change-Id: I2e287281e7c8100f0d48413fbe0ff99d397a74c1
* changes:
trusty: provide coverage to gatekeeper fuzzer
trusty: fuzz: Example TA fuzzer
trusty: fuzz: Helper lib for libFuzzer extra counters
trusty: coverage: Coverage client library
Note: We need to add Confirmationui TA into
TRUSTY_BUILTIN_USER_TASKS to run the fuzzer.
Bug: 174402999
Bug: 171750250
Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer
Change-Id: I22769782ded05eeedeb111f7537b5ba76e98ce73
Used by tests on the system side of the Treble boundary, e.g. fuzzing
Test: m libtrusty libtrusty_test
Change-Id: I56a15c80eb7c4b9e51f8e59a7cd1abdfc35d8d5a
Make the trusty-ut-ctrl as binary such that we can put it into
factory image, put it into PRODECT_PACKAGES_DEBUG fro the device.mk
Bug: 152901318
Test: Trusty storage tests
Change-Id: I8229113e7649c25d0a712b2b0964f23c9d41cf26
Adds an Abort() function to the fuzzer utils library that grabs and
prints the relevant trusty kernel logs before exiting the fuzzer.
Test: /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer
Change-Id: I7741c7e5e0ffdc402e3d3dd9a7e5856e2a640dd2
Remove WrappedPrivateKey and select wrapped vs plaintext key command
based on format instead.
Bug: 154033394
Test: send wrapped test key. Not yet accepted by trusty
Change-Id: I3b0a29be78f2a8e84ebd990713f66788256d8e3f
Remove the --key option part to disable the initial setting of rpmb key
on the mock rpmb device.
The RPMB provisioning scheme will program the RPMB key into the mock
rpmb device.
Bug: 152901318
Test: Trusty storage tests
Change-Id: I03b9cfbbd10e2e5364405319a57e2ecc4ee0f48e
Add ".check_key_programmed = true." for RPMB_REQ_DATA_READ such that
we can check whether the rpmb key has been programmed before executing
RPMB_REQ_DATA_READ command.
"JEDEC STANDARD Universal Flash Storage (UFS) Version 3.0" specifies
that data access before the key has been programmed should return
“Authentication Key not yet programmed” (0007h)..
Bug: 152901318
Test: Trusty storage tests
Change-Id: I4759fbce5f37234090a22a1d9dc3b38072f6ecaf
* Supports sending memfds in addition to data from an iovec
* Also add a basic test called send-fd
Bug: 117221195
Test: Run send-fd with corresponding Trusty application.
Change-Id: I562d2ff744938c868323a016659ca1332f6a576b
The mock RPMB can get out of sync with TD storage blocks in the event of
panic or crash. Making this O_SYNC will prevent this from happening.
Bug: 160723681
Test: None
Change-Id: Ia16dfc88ceae56e4e9724a42ac0db492c0e707a4
The in_cdb.length (ALLOCATION_LENGTH) must be set in order to send
SECURITY PROTOCOL IN command.
Bug: 143636526
Test: Trusty storage tests
Change-Id: Ie4252e9b19c05825c895ec07f8c9684ae456f6c9
The newer way of specifying the interface is using <fqname> and it also
has the handy side-effect of not causing conflicts when we add the
strongbox implementation to devices.
Test: make # check $OUT for the correct manifest
Change-Id: If8333814723261c4f3de375861ee19a6d922d55f
Library based HALs have been deprecated for several years now, and
Keymaster 2 based testing is woefully out of date compared to running
VTS against the modern 3.0 and 4.0 implementations.
Purging these modules and their resulting dependencies will make it
easier for the central system/keymaster repository to move forwards.
Test: mm
Bug: 150239636
Change-Id: Ic2ddbe685a50e65f9db25f682ad33105195efa8a
This implementation does not provide any security guaranties.
* The input method (NotSoSecureInput) runs a crypto protocols that is
sufficiently secure IFF the end point is implemented on a trustworthy
secure input device. But since the endpoint is currently in the HAL
service itself this implementation is not secure.
* This implementation provides most of the functionality, but not the
secure UI infrastructure required to run Android Protected
Confirmation.
Bug: 146078942
Test: VtsHalConfirmationUIV1_0TargetTest
Change-Id: I14717b5fa4ef15db960cdd506b8c6fe5369aec8d
