status after registering it with `CHECK_EQ` macro.
Bug: b/205760172
Test: atest VtsHalConfirmationUITargetTest
Change-Id: I00f5a09ca525e3abb63a5d1f404fb6f3daed9442
Bug: b/205760172
Test: Run android.hardware.confirmationui-service.trusty_fuzzer, confirmation UI test using CTS Verifier and atest VtsHalConfirmationUITargetTest
Change-Id: If0e97c9ae5f89fbbfa994c12ece53d3996e17a33
Replaced HIDL spec implementation with AIDL spec in confirmationui
module.
Ignore-AOSP-First: Dependent on internal change.
Bug: b/205760172
Test: Run confirmation UI test using CTS Verifier, atest VtsHalConfirmationUITargetTest
Change-Id: I49b9cb6d93fa35fd611003f7545d2ce4976eec7c
The new 6.0 kernel headers changed all variable length
structures from [0] to []. This causes a clang warning to
trigger, so rewrite the mmc data structures using a union
to avoid having a variable sized array in the middle of the
structure.
Test: Builds.
Change-Id: Ib1ac92c4f76af386d934f51a3c73cb8914e97624
This is the Android-side companion change to go/oag/2241573,
adding the interface for STORAGE_FILE_GET_MAX_SIZE (implementation
sold separately).
Bug: 247003431
Test: None
Change-Id: Ie834c91a085b2e4a668e0d9d22ec0f6b1e4e6c1c
This is effectively a no-op change; both packages are installed.
However, removing required and moving it to PRODUCT_PACKAGES cuts the
dependency from vendor modules to system-ext modules. This is needed for
vendor-only build test.
Test: build and see both packages are installed
Change-Id: I6620020a1eccfab08594c9be3b298611bd237f1d
The boringssl ACVP config has grown, so we need to increase the size of
our memory allocation that we share with the Trusty test TA.
Test: acvptool -wrapper trusty_acvp_modulewrapper -regcap
Bug: None
Change-Id: Ia90f4972d0d2ac420b09110f5647355a44175267
Add a specific error message to the Android CLI tool for the case
where the apploader rejected an attempt to load an application
which requested encryption of its ELF image via its manifest while
containing an unencrypted ELF image.
Bug: 241824652
Change-Id: Ib2a3c881015700492b8166be38c41753bf51b3b2
Fsync failures are special because they may indicate a failure of an
operation before the current operation. Report these cases as a new,
distinct error.
Test: Cause fsync failure and check error response
Bug: 239105007
Change-Id: Ie9d4a1949586e90006256c975786e21ced655e66
Previously we did not support STORAGE_MSG_FLAG_POST_COMMIT for anything
but RPMB operations (in which case it was a no-op). We need to support
this flag in order to store a superblock in non-secure storage, as we
need that write to commit atomically wrt all other writes.
Test: com.android.storage-unittest.nsp
Bug: 228793975
Change-Id: Ia453c1916970e0b65a91e42f18b920ac4e1f01db
Also add tighter checks to make sure we didn't drop events.
Bug: 240617890
Test: libtrusty_metrics_test
Change-Id: I0029d91ad0ff67eb97913b2316efca627b118616
These operations require excessive SELinux and UNIX permissions.
Instead of dropping privileges after starting we will start
storageproxyd as "system" user.
Bug: 205904330
Test: com.android.storage-unittest.td
Change-Id: I0b2503a746c52474c8cc2e1f7a2fbe17c98d6d8b
Boringssl added a new argument to the ACVP modulewrapper, so we need to
sync this change to the Trusty modulewrapper.
Test: m trusty_acvp_modulewrapper
Bug: 233873228
Change-Id: Ia79705d9fe32a07afc09cf8e0231db300073b504
* Add new `recv` method that takes a `Vec<u8>` and automatically
allocates extra buffer space and retries the read call if the buffer
does not have enough capacity.
* Rename the existing `recv` method to `recv_no_alloc`, and update docs
to clarify the behaviors of both methods.
* Add tests for the new `recv` method and update existing tests to use
`recv_no_alloc` instead.
Test: tipc-test-rs -m 1024 -t echo
Bug: 226659377
Change-Id: Ic437b617751e865da119fe0c4ef8aa456a63bf3c
Test logic is based on the tests in the original tipc-test C binary,
but adapted to use the Rust unit test infrastructure to make running
tests easier.
Test: Ran the tests
Bug: 226659377
Change-Id: I998013b2f8b304299acb09d58beb49330747802a
Add a specific error message to the Android CLI tool for the
case where the policy engine (http://go/aog/2051516) disallows
loading.
Test: Load a signed app that violates the policy
Bug: 208968719
Change-Id: I2aaa218ab3a7297ea62448de49baa0bfd6b1ee52
TRUSTY_SEND_SECURE operation was added to Trusty Linux driver by
aosp/1930989.
Bug: 224563842
Test: m libtrusty
Change-Id: Ic922ec177a8d35dba351415ab429216a1931a64d
On some devices it is infeasible to provision the KeyMint RoT bits in
the Android Bootloader. This provides an alternate path to provision
them from the TEE during early boot.
Bug: 219076736
Test: VtsAidlKeyMintTargetTest
Change-Id: Ibae9050b9a102dad3710f9495d3dfa43fa1d1b3f
Merged-In: Ibae9050b9a102dad3710f9495d3dfa43fa1d1b3f
This CL bumps the reported version for Trusty's
IRemotelyProvisionedComponent HAL interface for KeyMint. It also adds
the uniqueId field added to the RpcHardwareInfo in version 2.
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I336ec7cd12ca2ea3b836601ebe0ca400524b8ca4
Switches to syncing the parent directory immediately when creating a new
file rather than lazily waiting for a sync request. Because we only
create a new file when the userdata partition is cleared, this operation
doesn't need to be fast in the normal case. This avoids needing to track
the parent directory for each file for lazy syncing later, since storage
backing files may be in a subdirectory of the root.
Test: m storageproxyd, boot using new service binary
Bug: None
Change-Id: Ibcafae7da493864515c099bd81d48c95b0e5d8c3
Adds a check for a DSU mode boot in storageproxyd. Changes path handling
so that storageproxyd will not allow opening a file in the root data
path in DSU mode. Instead, storageproxyd creates an "alternate/"
directory in the data directory and the TA must use this directory to
store its backing file.
Re-landing reverted change: Iad68872dc6915f64eaf26cd3c92c04d9071ef169
Test: Boot into DSU and inspect logs for "Cannot open root data file"
Test: Test that TD writes in DSU mode don't corrupt host image storage
when using a compatible storage TA that supports alternate data mode.
Bug: 203719297
Change-Id: I1d07e7c3d15dc1beba2d340181d1b11a7988f869
This reverts commit 7c5658b5fd.
Reason for revert: selinux test errors in some branches
Bug: 215630608
Change-Id: I2a9c9d914b6c1d1248b4f11bd69484ae6b0ba8d1
Adds a check for a DSU mode boot in storageproxyd. Changes path handling
so that storageproxyd will not allow opening a file in the root data
path in DSU mode. Instead, storageproxyd creates an "alternate/"
directory in the data directory and the TA must use this directory to
store its backing file.
Test: Boot into DSU and inspect logs for "Cannot open root data file"
Test: Test that TD writes in DSU mode don't corrupt host image storage
when using a compatible storage TA that supports alternate data mode.
Bug: 203719297
Change-Id: Iad68872dc6915f64eaf26cd3c92c04d9071ef169
This allows for easier bumping of the KeyMint version level.
At the moment this change should have no effect: the same dependency
is used, just reached via a default rather than explicitly.
However, when the KeyMint version increases in the near future, using
this default should mean that no change is needed here: the default
definition will change to -V2 and this will be referenced here.
Test: TreeHugger
Change-Id: Ic250e5b91ee2b48cd7a05783ce21af16ae330ed1
rpmb_dev is a rpmb device stub used in emulation
as well as platform early bringup so we don't expect
any open source developer to be impacted by the migration
from MIT to Apache 2.0.
Note that with such a migration to Apache 2.0, recipients
won't receive lesser permissions, they just have updated
requirements for which license text to share along with the code.
Bug: 191508826
Test: None
Signed-off-by: Armelle Laine <armellel@google.com>
Change-Id: I0ae2bc66901344f8f9227e929a98946e52c50355
If a checkpointing operation is in progress, discard any write operations
that are flagged as STORAGE_MSG_FLAG_PRE_COMMIT_CHECKPOINT. In tandem
with trusty-side changes that set the flag appropriately, this avoids
the awkward case where the checkpoint is rolled back, which potentially
leads to inconsistency between the data and the superblock.
Based on Stephen's CL/1845477 "Add helper to check checkpoint state of
mounts".
Test: m storageproxyd
Bug: 194313068
Change-Id: Ib6a432db1bc1b034f803b743b0d7322e3f31d814
Attempts a retry of the intial write or read when an RPMB command
triggers a UNIT ATTENTION condition. This causes the UA status to be
reset and hopefully result in a successful command. This runs the risk
of retrying a successful write, but we wouldn't have been able to get
the RPMB response after that write anyway due to the UA condition.
Test: m storageproxyd
Bug: 200037389
Change-Id: Ib970e779365bb396756c114684c7f6e56a737ab1
Add an option to specify a service name. Currently only the "connect"
test supports this, and will try to connect to the named service
instead of the echo and datasink services.
Also fix the built-in help text, as it was missing the "burst" option,
and didn't mention that the "connect" test connects to both the echo
and datasink services.
Bug: 200034376
Test: run
Change-Id: I3903f94c16320f8e07ac4bfb69e3bb45329138c0
check_scci_sense (now renamed unexpected_scsi_sense) was supposed to
return false iff the sense data was valid and did not contain an error.
This return value was inverted. Invert the return values and rename the
function to clarify its role.
Test: m storageproxyd
Bug: 195544379
Change-Id: I3b84188aabe58345a83d2fd57bb8103e730cf365
Print an error message to stderr on connection failure, so that the
command doesn't exit silently in case of the common user error of
forgetting to run it as root.
Bug: None
Test: Run as regular user, see "permission denied" message.
Change-Id: Ia213dedccab27e6152b5eb969fbee06d82d3d4ff
tipc_test.c used a mix of tabs and spaces for indentation and other
things that clang-format doesn't like, so retab and format it.
Bug: None
Test: build
Change-Id: I9b3a64bae54697d43e7fb39fe7d6e1dabe0be380
Rewrites the buffer logging to print to the Android log instead of
stderr. The storageproxyd service is started by init and stderr is not
logged anywhere. Because we want to log sense data errors under normal
operation, we need to log to logcat instead of stderr.
Test: Define RPMB_DEBUG, build for qemu-trusty, run, inspect logcat
Bug: 195544379
Change-Id: Iecc0d4680420bb92c94be628789093888a2f1941
Adds parsing and logging of SCSI errors from SG_IO calls for RPMB. Does
not alter behavior of the RPMB proxy in response to these errors.
Test: m storageproxyd
Bug: 195544379
Change-Id: I928ddebcb65aa6c305d3dcab7c64bd19d11a50fa
Adds a file handle parameter to the debug print_buf function to allow
printing to either stdout or stderr.
Test: m storageproxyd
Bug: 195544379
Change-Id: Iade322a21312a676b3599bddafdfc43b599617ea
This change adds the RPK apk back into the image for Trusty Keymint
devices, though the functionality will still be disabled by the
server check-in for now.
Ignore-AOSP-First: Will be CP'ed to AOSP
Bug: 194509629
Test: atest RemoteProvisionerUnitTests
Change-Id: Ic20ca119bd9c0614f7559b24ad60718c813a0cca
The KeyMint TA may send responses that are longer thant the 8K buffer
that the KeyMint HAL holds. This patch introduces
trusty_keymaster_call_2 which can grow the receive buffer on demand.
Bug: 195622501
Test: VTS and CTS test for regression testing.
Change-Id: Ia06e590e547e649ca81cda9a71851f334970788f
Merged-In: Ia06e590e547e649ca81cda9a71851f334970788f
The ndk_platform backend will soon be deprecated because the ndk backend
can serve the same purpose. This is to eliminate the confusion about
having two variants (ndk and ndk_platform) for the same 'ndk' backend.
Bug: 161456198
Test: m
Change-Id: I7e60ee840fd64f9e36bafa8baea19daab9c15cea
We add a wakelock to the sequence of UFS commands so that
the sequence will not be disrrupted when devices get suspended.
Bug: 193456223
Test: Trusty storage tests
Change-Id: Ib90f8b284017cf261d2a2aea940834a42c21de02
The function send_ufs_rpmb_req is missing return paths on errors.
This patch fixes it so that any UFS command failure will return
error code to the function caller.
Bug: 193855098
Test: Trusty storage tests
Change-Id: I391ecff9ed3f892b7c3adae0ceeb18930791326f
This allows the relevant IPC code to be included in the provisioner tool
easily as it's shuffled over into a non-AOSP component due to
chip specific requirements in provisioning Device IDs.
Bug: 178796950
Test: Stuff builds
Merged-In: I57482e89035e8648544f87291ec14c6aece09bd0
Change-Id: I57482e89035e8648544f87291ec14c6aece09bd0
This change includes the code necessary to communicate to the
IRemotelyProvisionedComponent backend implementation running in Trusty.
It also makes the relevant changes to the manifest XML file to add the
IRemotelyProvisionedComponent HAL.
Bug: 192228022
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I32c30ce2dc44e95ff91574ce405f10e3b5dc9699
Merged-In: I32c30ce2dc44e95ff91574ce405f10e3b5dc9699
The Trusty KeyMint HAL did not forward auth tokens and confirmation
tokens to the TA. This broke all per-op-bound key operations.
Test: CtsVerifier biometrics tests.
Bug: 192201272
Merged-In: Ifb2b08514acab78ff3d4fec4bc928260820d4ce0
Change-Id: Ifb2b08514acab78ff3d4fec4bc928260820d4ce0
Bug: 177729159
Test: Not testable until more CLs land
Merged-In: Iea4e70bb5b4ce051492f2e42d2e0d219d088388e
Change-Id: Iea4e70bb5b4ce051492f2e42d2e0d219d088388e
We detect a TA crash by not being able to reconnect to its channel. We
were previously connecting to the TA at the beginning of each fuzz
iteration, but this results in only detecting a crash on the following
iteration. By moving this connection to the end of the fuzz iteration,
we can detect a crash corresponding to the correct fuzz iteration and
libFuzzer will produce the correct crashing input.
Test: /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Bug: 185407818
Change-Id: I6808c72611fcabab5b314218f8b588dd7d944188
Otherwise, these error logs don't end up in bugreports, making it very
difficult to debug.
When using locally, users will have to check logcat instead of stderr.
Bug: 183919392
Bug: 115420908
Test: m
Change-Id: I3b829347971d05968b851e11ce784829d12ef098
The parameter is intended to make the API backwards compatible with
legacy ION devices. It will be ignored for devices that support DMA-BUF
heaps.
Test: build
Bug: 154310076
Change-Id: Ic5b49269283caa7d05d9468f8ed7f02e1b3c1f1e
Merged-In: Ic5b49269283caa7d05d9468f8ed7f02e1b3c1f1e
Added SPDX-license-identifier-Apache-2.0 to:
libstats/pull_lazy/Android.bp
libstats/socket_lazy/Android.bp
trusty/utils/acvp/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: I33005150521238b61d1a8c923749b17d36bba693
We need to do this to make sure that target TA is connected to coverage
service.
Bug: 171750250
Test: trusty_test_fuzzer
Change-Id: I207b8c674a0c5630dd6baf966d3dfb243a855be0
The non-test fuzz targets should run automatically in Haiku.
None of these should be built for Host, and all but the
trusty_test_fuzzer should be built for Target.
Test: built locally (make haiku) and checked that non-test trusty fuzz
targets are included as expected.
Change-Id: Ic67b1e1ddea8ed61b83deef66acdeb0891489195
ConfirmationUI messages are a higher-level abstraction than TIPC
messages (which is what TIPC fuzzer fuzzes).
Bug: 174402999
Test: trusty_confirmationui_msg_fuzzer
Change-Id: I1e1e2c7070b87b78d6236993330df65202840ce6
The keymaster TA has 30841 distinct coverage counters, so 0x4000 counter
slots is not enough to handle this TA. Increase maximum number of
coverage counters to 0x8000.
Test: adb shell trusty_keymaster_fuzzer
Bug: 175918322
Change-Id: I879d18538edb4933a4205c8f73b7939ddbf69e37
Add an initial corpus for the keymaster fuzzer derived from running the
keystore2 unittests.
Test: adb shell "cd /data/fuzz/arm64/trusty_keymaster_fuzzer/ && ./trusty_keymaster_fuzzer corpus"
Bug: 175918322
Change-Id: I839bb9bacee1800cf2da25aedbb4ce3eccf16cba
libtrusty can be depended on by multiple thing in a fuzzer's
dependencies tree. It's no longer convenient to link to statically.
Leave tests statically linked. Test infra doesn't seem to handle shared
test libs correctly.
Bug: 171750250
Test: trusty_test_fuzzer libtrusty_coverage_test
Change-Id: Ic7d003151e43fb5bab63354fd42ea9667332743f
In order to validate the BoringSSL implementation in Trusty using ACVP,
we need a modulewrapper tool that forwards requests to Trusty and back
to the ACVP tool. Adds this tool, which interfaces with the Trusty ACVP
testing service.
Test: make trusty_acvp_modulewrapper
Test: adb shell "acvptool -wrapper trusty_acvp_modulewrapper -json vectors/ACVP-AES-CBC"
Bug: 173805789
Change-Id: I3028e44c00f8e315dfd94ea34c004bbd25fab788
Fix a typo in one of the short command line options
for the Trusty application loader. The typo caused
the tool to incorrectly accept the -s short option
and ignore it, but not accept the -D option which
is the short version of --dev.
Bug: 115420908
Test: m
Change-Id: I9d03f8dd20adedbd820621ae8f9b4d13137041ed
The header SecureDPU.h is moved out from the device specific folder as
it can be shared for different devices.
Bug: 176508588
Test: Pass TUI VTS test on the emulator.
Change-Id: I7695b49c4f7a247b570ced61145471efef3d0a3d